freeimage: CVE-2019-12212

Debian Bug report logs - #947477
freeimage: CVE-2019-12212

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Sun, 26 May 2019 21:26:17 +0200

Source: freeimage
Severity: grave
Tags: security

Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214

Cheers,
        Moritz

Message #10 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 929597@bugs.debian.org

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Sun, 26 May 2019 22:01:40 +0200

Hi Moritz,

thanks for the reporting. As far as I see, there is still
no available fix from upstream.

Cheers

Anton

Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
>
> Source: freeimage
> Severity: grave
> Tags: security
>
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
>
> Cheers,
>         Moritz
>
> --
> debian-science-maintainers mailing list
> debian-science-maintainers@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Message #21 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: 929597@bugs.debian.org

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Mon, 27 May 2019 23:01:14 +0200

CVE-2019-12214 does not affect buster and stretch.
Jessie should be double checked because an older
version is used there.

Anton

Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
>
> Hi Moritz,
>
> thanks for the reporting. As far as I see, there is still
> no available fix from upstream.
>
> Cheers
>
> Anton
>
> Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
> >
> > Source: freeimage
> > Severity: grave
> > Tags: security
> >
> > Please see
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
> >
> > Cheers,
> >         Moritz
> >
> > --
> > debian-science-maintainers mailing list
> > debian-science-maintainers@alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Message #26 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: 929597@bugs.debian.org

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Mon, 3 Jun 2019 20:23:27 +0200

There is no upstream fix still available.

I am planning to decrease the severity of
the ticket to normal and track it as a simple
security issue.

Anton

Am Mo., 27. Mai 2019 um 23:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
>
> CVE-2019-12214 does not affect buster and stretch.
> Jessie should be double checked because an older
> version is used there.
>
> Anton
>
> Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
> >
> > Hi Moritz,
> >
> > thanks for the reporting. As far as I see, there is still
> > no available fix from upstream.
> >
> > Cheers
> >
> > Anton
> >
> > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
> > >
> > > Source: freeimage
> > > Severity: grave
> > > Tags: security
> > >
> > > Please see
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
> > >
> > > Cheers,
> > >         Moritz
> > >
> > > --
> > > debian-science-maintainers mailing list
> > > debian-science-maintainers@alioth-lists.debian.net
> > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Message #31 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: 929597@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, control@bugs.debian.org

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Tue, 4 Jun 2019 20:20:33 +0200

severity 929597 important
thanks

The fix from upstream is still not available. I am not feeling
confident enough to provide a fix for this complex peace
of code without breaking it.

Also reducing the severity. If the security team decides to
keep it "grave" - feel free to revert it.

Regards


Anton

Am Mo., 3. Juni 2019 um 20:23 Uhr schrieb Anton Gladky <gladk@debian.org>:
>
> There is no upstream fix still available.
>
> I am planning to decrease the severity of
> the ticket to normal and track it as a simple
> security issue.
>
> Anton
>
> Am Mo., 27. Mai 2019 um 23:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
> >
> > CVE-2019-12214 does not affect buster and stretch.
> > Jessie should be double checked because an older
> > version is used there.
> >
> > Anton
> >
> > Am So., 26. Mai 2019 um 22:01 Uhr schrieb Anton Gladky <gladk@debian.org>:
> > >
> > > Hi Moritz,
> > >
> > > thanks for the reporting. As far as I see, there is still
> > > no available fix from upstream.
> > >
> > > Cheers
> > >
> > > Anton
> > >
> > > Am So., 26. Mai 2019 um 21:27 Uhr schrieb Moritz Muehlenhoff <jmm@debian.org>:
> > > >
> > > > Source: freeimage
> > > > Severity: grave
> > > > Tags: security
> > > >
> > > > Please see
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12212
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
> > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12214
> > > >
> > > > Cheers,
> > > >         Moritz
> > > >
> > > > --
> > > > debian-science-maintainers mailing list
> > > > debian-science-maintainers@alioth-lists.debian.net
> > > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Message #38 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Anton Gladky <gladk@debian.org>

Cc: 929597@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>, control@bugs.debian.org

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Tue, 4 Jun 2019 22:43:50 +0200

On Tue, Jun 04, 2019 at 08:20:33PM +0200, Anton Gladky wrote:
> severity 929597 important
> thanks
> 
> The fix from upstream is still not available. I am not feeling
> confident enough to provide a fix for this complex peace
> of code without breaking it.
> 
> Also reducing the severity. If the security team decides to
> keep it "grave" - feel free to revert it.

Fine, but we still need to fix it once properly fixed upstream.

Cheers,
        Moritz

Message #43 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: 929597@bugs.debian.org

Subject: not fixed by upstream

Date: Sun, 7 Jul 2019 14:25:00 +0200

[Message part 1 (text/plain, inline)]

Still no updates from upstream....

Anton

[Message part 2 (text/html, inline)]

Message #48 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: 929597@bugs.debian.org

Subject: Re: not fixed by upstream

Date: Mon, 30 Sep 2019 21:05:03 +0200

No activity from upstream.

Anton

Message #53 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Anton Gladky <gladk@debian.org>, 929597@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#929597: not fixed by upstream

Date: Mon, 30 Sep 2019 21:44:53 +0200

On Mon, Sep 30, 2019 at 09:05:03PM +0200, Anton Gladky wrote:
> No activity from upstream.

Are they still alive upstream? Do you have a cance to ping some
upstream people directly to make them aware of the issue via anothe
channel?

Regards,
Salvatore

Message #58 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 929597@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#929597: not fixed by upstream

Date: Mon, 30 Sep 2019 21:56:07 +0200

Last commit was in April 2019. We should really think
about existing this package in the Debian.

Anton

Am Mo., 30. Sept. 2019 um 21:44 Uhr schrieb Salvatore Bonaccorso
<carnil@debian.org>:
>
> On Mon, Sep 30, 2019 at 09:05:03PM +0200, Anton Gladky wrote:
> > No activity from upstream.
>
> Are they still alive upstream? Do you have a cance to ping some
> upstream people directly to make them aware of the issue via anothe
> channel?
>
> Regards,
> Salvatore

Message #63 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Anton Gladky <gladk@debian.org>

Cc: 929597@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#929597: not fixed by upstream

Date: Mon, 30 Sep 2019 22:10:28 +0200

Hi,

On Mon, Sep 30, 2019 at 09:56:07PM +0200, Anton Gladky wrote:
> Last commit was in April 2019. We should really think
> about existing this package in the Debian.

You mean with "think about existing this package in the Debian" about
a potential removal from Debian? A removal, considering the affected
reverse (build-)depdendencies does not seem realistic at the
moment[1].

Regards,
Salvatore

 [1] dak rm --suite=sid -n -R freeimage on respighi would list a lot
 of broken Build-Depends and broken Depends.

Message #68 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 929597@bugs.debian.org

Cc: Anton Gladky <gladk@debian.org>

Subject: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

Date: Sat, 26 Oct 2019 16:11:29 +0200

[Message part 1 (text/plain, inline)]

Hi,

The overflow happens during the following call to memcpy:

    // convert to strip
    if(x + tileWidth > width) {
            src_line = imageRowSize - rowSize;
    } else {
            src_line = tileRowSize;
    }
    BYTE *src_bits = tileBuffer;
    BYTE *dst_bits = bits + rowSize;
    for(int k = 0; k < nrows; k++) {
            memcpy(dst_bits, src_bits, src_line);
            src_bits += tileRowSize;
            dst_bits -= dst_pitch;
    }

This portion of code copies image data from a libTIFF-provided buffer to an
internal buffer. The overflow happens because src_line is larger than the
size of dst_bits.

This is the result of an inconsistency between libTIFF and freeimage:

In the libTIFF case, tile row size is
= samplesperpixel * bitspersample * tilewidth / 8
= bitsperpixel * tilewidth / 8
= 6 * 32 * 7 / 8 = 168

In the freeimage case, tile row size is
bitsperpixel * tilewidth / 8
= 32 * 7 / 8 = 28

As a result, the two buffers are differently sized.

freeimage has a bpp of 32 because CreateImageType calls
FreeImage_AllocateHeader with MIN(bpp, 32).

This 'MIN(bpp, 32)' looks like a terrible hack to me, but we can't change
it to 'bpp' because FIT_BITMAP images with bpp > 32 does not seem to be
supported by freeimage. Also, in this case, bpp > 32 doesn't even make
sense:

Looking closely at the reproducer, we can notice that it defines a bilevel
image with samplesperpixel and bitspersample parameters, both unexpected in
bilevel images.

Pixels in bilevel images can either be black or white. There is as such
only one sample per pixel, and a single bit per sample is sufficient.  The
spec defines bpp = 8. It is unclear whether the specification allows for
arbitrary values of bitspersample or samplesperpixel (extrasamples?) in
this case.

This file gets rejected by most libTIFF tools.

# patch

+ add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
  instead of passing MIN(bpp, 32).
+ change type of dst_pitch to unsigned
+ call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
  help overcome any further (future) discrepancy between libTIFF and
  freeimage.

# tests

I have tested for regressions with the following samples, using a modified
version of Examples/Linux/linux-gtk.c:

http://www.simplesystems.org/libtiff/images.html

During these tests, I found other issues with bilevel images, unrelated to
this patch. I will try to take a look at them in the future.

I can provide additional explanations if there is anything unclear.

I'd like to get this patch peer-reviewed/merged upstream before shipping
it in a Debian release.

regards,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[CVE-2019-12211.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #73 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Hugo Lefeuvre <hle@debian.org>

Cc: 929597@bugs.debian.org

Subject: Re: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

Date: Sat, 26 Oct 2019 20:40:53 +0200

Thanks, Hugo, for analyzing the issue in details and proposing the fix.

Do you want to add the patch into the corresponding forum-thread
in freeimage website?

Regards

Anton

Am Sa., 26. Okt. 2019 um 16:11 Uhr schrieb Hugo Lefeuvre <hle@debian.org>:
>
> Hi,
>
> The overflow happens during the following call to memcpy:
>
>     // convert to strip
>     if(x + tileWidth > width) {
>             src_line = imageRowSize - rowSize;
>     } else {
>             src_line = tileRowSize;
>     }
>     BYTE *src_bits = tileBuffer;
>     BYTE *dst_bits = bits + rowSize;
>     for(int k = 0; k < nrows; k++) {
>             memcpy(dst_bits, src_bits, src_line);
>             src_bits += tileRowSize;
>             dst_bits -= dst_pitch;
>     }
>
> This portion of code copies image data from a libTIFF-provided buffer to an
> internal buffer. The overflow happens because src_line is larger than the
> size of dst_bits.
>
> This is the result of an inconsistency between libTIFF and freeimage:
>
> In the libTIFF case, tile row size is
> = samplesperpixel * bitspersample * tilewidth / 8
> = bitsperpixel * tilewidth / 8
> = 6 * 32 * 7 / 8 = 168
>
> In the freeimage case, tile row size is
> bitsperpixel * tilewidth / 8
> = 32 * 7 / 8 = 28
>
> As a result, the two buffers are differently sized.
>
> freeimage has a bpp of 32 because CreateImageType calls
> FreeImage_AllocateHeader with MIN(bpp, 32).
>
> This 'MIN(bpp, 32)' looks like a terrible hack to me, but we can't change
> it to 'bpp' because FIT_BITMAP images with bpp > 32 does not seem to be
> supported by freeimage. Also, in this case, bpp > 32 doesn't even make
> sense:
>
> Looking closely at the reproducer, we can notice that it defines a bilevel
> image with samplesperpixel and bitspersample parameters, both unexpected in
> bilevel images.
>
> Pixels in bilevel images can either be black or white. There is as such
> only one sample per pixel, and a single bit per sample is sufficient.  The
> spec defines bpp = 8. It is unclear whether the specification allows for
> arbitrary values of bitspersample or samplesperpixel (extrasamples?) in
> this case.
>
> This file gets rejected by most libTIFF tools.
>
> # patch
>
> + add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
>   instead of passing MIN(bpp, 32).
> + change type of dst_pitch to unsigned
> + call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
>   help overcome any further (future) discrepancy between libTIFF and
>   freeimage.
>
> # tests
>
> I have tested for regressions with the following samples, using a modified
> version of Examples/Linux/linux-gtk.c:
>
> http://www.simplesystems.org/libtiff/images.html
>
> During these tests, I found other issues with bilevel images, unrelated to
> this patch. I will try to take a look at them in the future.
>
> I can provide additional explanations if there is anything unclear.
>
> I'd like to get this patch peer-reviewed/merged upstream before shipping
> it in a Debian release.
>
> regards,
> Hugo
>
> --
>                 Hugo Lefeuvre (hle)    |    www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Message #78 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: Anton Gladky <gladk@debian.org>

Cc: 929597@bugs.debian.org

Subject: Re: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

Date: Sun, 3 Nov 2019 09:23:31 +0100

[Message part 1 (text/plain, inline)]

Hi Anton,

> Thanks, Hugo, for analyzing the issue in details and proposing the fix.
> 
> Do you want to add the patch into the corresponding forum-thread
> in freeimage website?

yes, I have just forwarded my message to the SF thread. Let's hope upstream
will find some time to take a look at it.

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #83 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 929597@bugs.debian.org

Cc: Anton Gladky <gladk@debian.org>

Subject: Re: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

Date: Sat, 23 Nov 2019 10:25:06 +0100

[Message part 1 (text/plain, inline)]

Hi,

Upstream seems to have merged my patch along with some more changes
regarding CVE-2019-12213[0].

I am planning to take a look at this patch and release a DLA for jessie.

The security team is also planning to release a DSA for stretch and buster.
I am already working on a jessie upload, so I should also be able to handle
stretch and buster.  Anton, you know this package better than me, would you
be available to test the update?

thanks!

regards,
Hugo

[0] https://sourceforge.net/p/freeimage/svn/1825/

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #88 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Hugo Lefeuvre <hle@debian.org>

Cc: 929597@bugs.debian.org

Subject: Re: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy

Date: Sat, 23 Nov 2019 15:08:48 +0100

Hello Hugo,

thanks for update!

> Anton, you know this package better than me, would you be available to test the update?
I am also not an expert in the package, but sure, I will try to do it.

Regards

Anton

Am Sa., 23. Nov. 2019 um 10:25 Uhr schrieb Hugo Lefeuvre <hle@debian.org>:
>
> Hi,
>
> Upstream seems to have merged my patch along with some more changes
> regarding CVE-2019-12213[0].
>
> I am planning to take a look at this patch and release a DLA for jessie.
>
> The security team is also planning to release a DSA for stretch and buster.
> I am already working on a jessie upload, so I should also be able to handle
> stretch and buster.  Anton, you know this package better than me, would you
> be available to test the update?
>
> thanks!
>
> regards,
> Hugo
>
> [0] https://sourceforge.net/p/freeimage/svn/1825/
>
> --
>                 Hugo Lefeuvre (hle)    |    www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Message #93 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 929597@bugs.debian.org

Cc: Anton Gladky <gladk@debian.org>, team@security.debian.org

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Wed, 11 Dec 2019 15:03:41 +0100

[Message part 1 (text/plain, inline)]

Hi,

small update:

I have updated jessie with the cherry picked patch for CVE-2019-12213 and
CVE-2019-12211.

I have contacted upstream to know when he is planning to release 3.18.1 so
that we can get this fixed in testing without cherry picking.

I am currently testing stretch and buster updates with the cherry picked
patch.

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[signature.asc (application/pgp-signature, inline)]

Message #98 received at 929597@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 929597@bugs.debian.org

Cc: Anton Gladky <gladk@debian.org>, Hugo Lefeuvre <hle@debian.org>

Subject: Re: Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214

Date: Fri, 27 Dec 2019 16:13:57 +0100

Control: clone 929597 -1 -2
Control: retitle 929597 freeimage: CVE-2019-12211 CVE-2019-12213
Control: retitle -1 freeimage: CVE-2019-12212
Control: retitle -2 freeimage: CVE-2019-12214

Hi,

As there will not be a fix for all CVEs in one go, let's split the bug
for the benefit of tracking the fixes. CVE-2019-12211 and
CVE-2019-12213  have the same upstream change, so will clone this into
three.

Regards,
Salvatore

Send a report that this bug log contains spam.