Debian Bug report logs -
#947477
freeimage: CVE-2019-12212
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sun, 26 May 2019 19:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 26 May 2019 19:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freeimage
Severity: grave
Tags: security
Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sun, 26 May 2019 20:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 26 May 2019 20:03:05 GMT) (full text, mbox, link).
Message #10 received at 929597@bugs.debian.org (full text, mbox, reply):
Hi Moritz,
thanks for the reporting. As far as I see, there is still
no available fix from upstream.
Cheers
Anton
Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
>
> Source: freeimage
> Severity: grave
> Tags: security
>
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
>
> Cheers,
> Moritz
>
> --
> debian-science-maintainers mailing list
> debian-science-maintainers@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Marked as found in versions freeimage/3.18.0+ds2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 27 May 2019 11:03:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 27 May 2019 11:03:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Mon, 27 May 2019 21:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 27 May 2019 21:03:03 GMT) (full text, mbox, link).
Message #21 received at 929597@bugs.debian.org (full text, mbox, reply):
CVE-2019-12214 does not affect buster and stretch.
Jessie should be double checked because an older
version is used there.
Anton
Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
>
> Hi Moritz,
>
> thanks for the reporting. As far as I see, there is still
> no available fix from upstream.
>
> Cheers
>
> Anton
>
> Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
> >
> > Source: freeimage
> > Severity: grave
> > Tags: security
> >
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
> >
> > Cheers,
> > Moritz
> >
> > --
> > debian-science-maintainers mailing list
> > debian-science-maintainers@alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Mon, 03 Jun 2019 18:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 03 Jun 2019 18:27:03 GMT) (full text, mbox, link).
Message #26 received at 929597@bugs.debian.org (full text, mbox, reply):
There is no upstream fix still available.
I am planning to decrease the severity of
the ticket to normal and track it as a simple
security issue.
Anton
Am Mo., 27. Mai 2019 um 23:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
>
> CVE-2019-12214 does not affect buster and stretch.
> Jessie should be double checked because an older
> version is used there.
>
> Anton
>
> Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
> >
> > Hi Moritz,
> >
> > thanks for the reporting. As far as I see, there is still
> > no available fix from upstream.
> >
> > Cheers
> >
> > Anton
> >
> > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
> > >
> > > Source: freeimage
> > > Severity: grave
> > > Tags: security
> > >
> > > Please see
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
> > >
> > > Cheers,
> > > Moritz
> > >
> > > --
> > > debian-science-maintainers mailing list
> > > debian-science-maintainers@alioth-lists.debian.net
> > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Tue, 04 Jun 2019 18:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Tue, 04 Jun 2019 18:24:03 GMT) (full text, mbox, link).
Message #31 received at 929597@bugs.debian.org (full text, mbox, reply):
severity 929597 important
thanks
The fix from upstream is still not available. I am not feeling
confident enough to provide a fix for this complex peace
of code without breaking it.
Also reducing the severity. If the security team decides to
keep it "grave" - feel free to revert it.
Regards
Anton
Am Mo., 3. Juni 2019 um 20:23 Uhr schrieb Anton Gladky <gladk@debian.org>:
>
> There is no upstream fix still available.
>
> I am planning to decrease the severity of
> the ticket to normal and track it as a simple
> security issue.
>
> Anton
>
> Am Mo., 27. Mai 2019 um 23:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
> >
> > CVE-2019-12214 does not affect buster and stretch.
> > Jessie should be double checked because an older
> > version is used there.
> >
> > Anton
> >
> > Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
> > >
> > > Hi Moritz,
> > >
> > > thanks for the reporting. As far as I see, there is still
> > > no available fix from upstream.
> > >
> > > Cheers
> > >
> > > Anton
> > >
> > > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
> > > >
> > > > Source: freeimage
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > Please see
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
> > > >
> > > > Cheers,
> > > > Moritz
> > > >
> > > > --
> > > > debian-science-maintainers mailing list
> > > > debian-science-maintainers@alioth-lists.debian.net
> > > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Severity set to 'important' from 'grave'
Request was from Anton Gladky <gladk@debian.org>
to control@bugs.debian.org
.
(Tue, 04 Jun 2019 18:24:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Tue, 04 Jun 2019 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Tue, 04 Jun 2019 20:45:03 GMT) (full text, mbox, link).
Message #38 received at 929597@bugs.debian.org (full text, mbox, reply):
On Tue, Jun 04, 2019 at 08:20:33PM +0200, Anton Gladky wrote:
> severity 929597 important
> thanks
>
> The fix from upstream is still not available. I am not feeling
> confident enough to provide a fix for this complex peace
> of code without breaking it.
>
> Also reducing the severity. If the security team decides to
> keep it "grave" - feel free to revert it.
Fine, but we still need to fix it once properly fixed upstream.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sun, 07 Jul 2019 12:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 07 Jul 2019 12:30:03 GMT) (full text, mbox, link).
Message #43 received at 929597@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Still no updates from upstream....
Anton
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Mon, 30 Sep 2019 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 30 Sep 2019 19:09:03 GMT) (full text, mbox, link).
Message #48 received at 929597@bugs.debian.org (full text, mbox, reply):
No activity from upstream.
Anton
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Mon, 30 Sep 2019 19:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 30 Sep 2019 19:48:03 GMT) (full text, mbox, link).
Message #53 received at 929597@bugs.debian.org (full text, mbox, reply):
On Mon, Sep 30, 2019 at 09:05:03PM +0200, Anton Gladky wrote:
> No activity from upstream.
Are they still alive upstream? Do you have a cance to ping some
upstream people directly to make them aware of the issue via anothe
channel?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Mon, 30 Sep 2019 19:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 30 Sep 2019 19:57:06 GMT) (full text, mbox, link).
Message #58 received at 929597@bugs.debian.org (full text, mbox, reply):
Last commit was in April 2019. We should really think
about existing this package in the Debian.
Anton
Am Mo., 30. Sept. 2019 um 21:44 Uhr schrieb Salvatore Bonaccorso
<carnil@debian.org>:
>
> On Mon, Sep 30, 2019 at 09:05:03PM +0200, Anton Gladky wrote:
> > No activity from upstream.
>
> Are they still alive upstream? Do you have a cance to ping some
> upstream people directly to make them aware of the issue via anothe
> channel?
>
> Regards,
> Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Mon, 30 Sep 2019 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Mon, 30 Sep 2019 20:15:03 GMT) (full text, mbox, link).
Message #63 received at 929597@bugs.debian.org (full text, mbox, reply):
Hi,
On Mon, Sep 30, 2019 at 09:56:07PM +0200, Anton Gladky wrote:
> Last commit was in April 2019. We should really think
> about existing this package in the Debian.
You mean with "think about existing this package in the Debian" about
a potential removal from Debian? A removal, considering the affected
reverse (build-)depdendencies does not seem realistic at the
moment[1].
Regards,
Salvatore
[1] dak rm --suite=sid -n -R freeimage on respighi would list a lot
of broken Build-Depends and broken Depends.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sat, 26 Oct 2019 14:18:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sat, 26 Oct 2019 14:18:12 GMT) (full text, mbox, link).
Message #68 received at 929597@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
The overflow happens during the following call to memcpy:
// convert to strip
if(x + tileWidth > width) {
src_line = imageRowSize - rowSize;
} else {
src_line = tileRowSize;
}
BYTE *src_bits = tileBuffer;
BYTE *dst_bits = bits + rowSize;
for(int k = 0; k < nrows; k++) {
memcpy(dst_bits, src_bits, src_line);
src_bits += tileRowSize;
dst_bits -= dst_pitch;
}
This portion of code copies image data from a libTIFF-provided buffer to an
internal buffer. The overflow happens because src_line is larger than the
size of dst_bits.
This is the result of an inconsistency between libTIFF and freeimage:
In the libTIFF case, tile row size is
= samplesperpixel * bitspersample * tilewidth / 8
= bitsperpixel * tilewidth / 8
= 6 * 32 * 7 / 8 = 168
In the freeimage case, tile row size is
bitsperpixel * tilewidth / 8
= 32 * 7 / 8 = 28
As a result, the two buffers are differently sized.
freeimage has a bpp of 32 because CreateImageType calls
FreeImage_AllocateHeader with MIN(bpp, 32).
This 'MIN(bpp, 32)' looks like a terrible hack to me, but we can't change
it to 'bpp' because FIT_BITMAP images with bpp > 32 does not seem to be
supported by freeimage. Also, in this case, bpp > 32 doesn't even make
sense:
Looking closely at the reproducer, we can notice that it defines a bilevel
image with samplesperpixel and bitspersample parameters, both unexpected in
bilevel images.
Pixels in bilevel images can either be black or white. There is as such
only one sample per pixel, and a single bit per sample is sufficient. The
spec defines bpp = 8. It is unclear whether the specification allows for
arbitrary values of bitspersample or samplesperpixel (extrasamples?) in
this case.
This file gets rejected by most libTIFF tools.
# patch
+ add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
instead of passing MIN(bpp, 32).
+ change type of dst_pitch to unsigned
+ call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
help overcome any further (future) discrepancy between libTIFF and
freeimage.
# tests
I have tested for regressions with the following samples, using a modified
version of Examples/Linux/linux-gtk.c:
http://www.simplesystems.org/libtiff/images.html
During these tests, I found other issues with bilevel images, unrelated to
this patch. I will try to take a look at them in the future.
I can provide additional explanations if there is anything unclear.
I'd like to get this patch peer-reviewed/merged upstream before shipping
it in a Debian release.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[CVE-2019-12211.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sat, 26 Oct 2019 18:45:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sat, 26 Oct 2019 18:45:13 GMT) (full text, mbox, link).
Message #73 received at 929597@bugs.debian.org (full text, mbox, reply):
Thanks, Hugo, for analyzing the issue in details and proposing the fix.
Do you want to add the patch into the corresponding forum-thread
in freeimage website?
Regards
Anton
Am Sa., 26. Okt. 2019 um 16:11 Uhr schrieb Hugo Lefeuvre <hle@debian.org>:
>
> Hi,
>
> The overflow happens during the following call to memcpy:
>
> // convert to strip
> if(x + tileWidth > width) {
> src_line = imageRowSize - rowSize;
> } else {
> src_line = tileRowSize;
> }
> BYTE *src_bits = tileBuffer;
> BYTE *dst_bits = bits + rowSize;
> for(int k = 0; k < nrows; k++) {
> memcpy(dst_bits, src_bits, src_line);
> src_bits += tileRowSize;
> dst_bits -= dst_pitch;
> }
>
> This portion of code copies image data from a libTIFF-provided buffer to an
> internal buffer. The overflow happens because src_line is larger than the
> size of dst_bits.
>
> This is the result of an inconsistency between libTIFF and freeimage:
>
> In the libTIFF case, tile row size is
> = samplesperpixel * bitspersample * tilewidth / 8
> = bitsperpixel * tilewidth / 8
> = 6 * 32 * 7 / 8 = 168
>
> In the freeimage case, tile row size is
> bitsperpixel * tilewidth / 8
> = 32 * 7 / 8 = 28
>
> As a result, the two buffers are differently sized.
>
> freeimage has a bpp of 32 because CreateImageType calls
> FreeImage_AllocateHeader with MIN(bpp, 32).
>
> This 'MIN(bpp, 32)' looks like a terrible hack to me, but we can't change
> it to 'bpp' because FIT_BITMAP images with bpp > 32 does not seem to be
> supported by freeimage. Also, in this case, bpp > 32 doesn't even make
> sense:
>
> Looking closely at the reproducer, we can notice that it defines a bilevel
> image with samplesperpixel and bitspersample parameters, both unexpected in
> bilevel images.
>
> Pixels in bilevel images can either be black or white. There is as such
> only one sample per pixel, and a single bit per sample is sufficient. The
> spec defines bpp = 8. It is unclear whether the specification allows for
> arbitrary values of bitspersample or samplesperpixel (extrasamples?) in
> this case.
>
> This file gets rejected by most libTIFF tools.
>
> # patch
>
> + add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
> instead of passing MIN(bpp, 32).
> + change type of dst_pitch to unsigned
> + call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
> help overcome any further (future) discrepancy between libTIFF and
> freeimage.
>
> # tests
>
> I have tested for regressions with the following samples, using a modified
> version of Examples/Linux/linux-gtk.c:
>
> http://www.simplesystems.org/libtiff/images.html
>
> During these tests, I found other issues with bilevel images, unrelated to
> this patch. I will try to take a look at them in the future.
>
> I can provide additional explanations if there is anything unclear.
>
> I'd like to get this patch peer-reviewed/merged upstream before shipping
> it in a Debian release.
>
> regards,
> Hugo
>
> --
> Hugo Lefeuvre (hle) | www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sun, 03 Nov 2019 08:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sun, 03 Nov 2019 08:33:03 GMT) (full text, mbox, link).
Message #78 received at 929597@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Anton,
> Thanks, Hugo, for analyzing the issue in details and proposing the fix.
>
> Do you want to add the patch into the corresponding forum-thread
> in freeimage website?
yes, I have just forwarded my message to the SF thread. Let's hope upstream
will find some time to take a look at it.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sat, 23 Nov 2019 09:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sat, 23 Nov 2019 09:39:03 GMT) (full text, mbox, link).
Message #83 received at 929597@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Upstream seems to have merged my patch along with some more changes
regarding CVE-2019-12213[0].
I am planning to take a look at this patch and release a DLA for jessie.
The security team is also planning to release a DSA for stretch and buster.
I am already working on a jessie upload, so I should also be able to handle
stretch and buster. Anton, you know this package better than me, would you
be available to test the update?
thanks!
regards,
Hugo
[0] https://sourceforge.net/p/freeimage/svn/1825/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Sat, 23 Nov 2019 14:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Anton Gladky <gladk@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Sat, 23 Nov 2019 14:12:05 GMT) (full text, mbox, link).
Message #88 received at 929597@bugs.debian.org (full text, mbox, reply):
Hello Hugo,
thanks for update!
> Anton, you know this package better than me, would you be available to test the update?
I am also not an expert in the package, but sure, I will try to do it.
Regards
Anton
Am Sa., 23. Nov. 2019 um 10:25 Uhr schrieb Hugo Lefeuvre <hle@debian.org>:
>
> Hi,
>
> Upstream seems to have merged my patch along with some more changes
> regarding CVE-2019-12213[0].
>
> I am planning to take a look at this patch and release a DLA for jessie.
>
> The security team is also planning to release a DSA for stretch and buster.
> I am already working on a jessie upload, so I should also be able to handle
> stretch and buster. Anton, you know this package better than me, would you
> be available to test the update?
>
> thanks!
>
> regards,
> Hugo
>
> [0] https://sourceforge.net/p/freeimage/svn/1825/
>
> --
> Hugo Lefeuvre (hle) | www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Wed, 11 Dec 2019 14:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Wed, 11 Dec 2019 14:09:05 GMT) (full text, mbox, link).
Message #93 received at 929597@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
small update:
I have updated jessie with the cherry picked patch for CVE-2019-12213 and
CVE-2019-12211.
I have contacted upstream to know when he is planning to release 3.18.1 so
that we can get this fixed in testing without cherry picking.
I am currently testing stretch and buster updates with the cherry picked
patch.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
:
Bug#929597
; Package src:freeimage
.
(Fri, 27 Dec 2019 15:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
.
(Fri, 27 Dec 2019 15:15:04 GMT) (full text, mbox, link).
Message #98 received at 929597@bugs.debian.org (full text, mbox, reply):
Control: clone 929597 -1 -2
Control: retitle 929597 freeimage: CVE-2019-12211 CVE-2019-12213
Control: retitle -1 freeimage: CVE-2019-12212
Control: retitle -2 freeimage: CVE-2019-12214
Hi,
As there will not be a fix for all CVEs in one go, let's split the bug
for the benefit of tracking the fixes. CVE-2019-12211 and
CVE-2019-12213 have the same upstream change, so will clone this into
three.
Regards,
Salvatore
Bug 929597 cloned as bugs 947477, 947478
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 929597-submit@bugs.debian.org
.
(Fri, 27 Dec 2019 15:15:04 GMT) (full text, mbox, link).
Changed Bug title to 'freeimage: CVE-2019-12212' from 'CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 929597-submit@bugs.debian.org
.
(Fri, 27 Dec 2019 15:15:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Dec 28 09:09:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.