Hi Andreas, On Mon, Mar 02, 2020 at 06:29:40PM +0100, Andreas Tille wrote: > On Mon, Mar 02, 2020 at 03:43:16PM +0100, Salvatore Bonaccorso wrote: > > Hi Andreas, > > > > On Mon, Mar 02, 2020 at 01:45:04PM +0000, Debian Bug Tracking System wrote: > > > Hello Andreas, > > > > > > I think I've fixed these bugs indeed, a few months ago. > > > > > > Regards, > > > > > > David. > > > > > > PS : I'm sorry but I don't write Changelog for CImg anymore. Not > > > that I don't maintain it, but it write my changes directly in the > > > Changelog of the G'MIC project. > > > > So this means 2.8.4 upstream contains the fix for CVE-2018-7587, any > > pointers to the upstream commit which fixed the issue, was it fixed > > before 2.8.4? > > > > Many thanks in advance, > > I understood David that this was fixed even before. He has not pointed > to any specific commit.
Then we need some help to track this down. We would like from security point of view try to track the issues as exact as possible and confirmed. The CVE-2018-7587 assignment itself is not very transparent on it's own unfortunately. The only reference I found was that it relates to https://github.com/dtschump/CImg/issues/185 (as some others CVE around that time). But now there were 5 testcases, and 5 other CVEs relate to upstream commit 10af1e8c1ad2a58a0a3342a856bae63e8f257abb. CVE-2018-7587 itself say it is for the "DoS occurs when loading a crafted bmp image that triggers an allocation failure in load_bmp in CImg.h". David, is this association correct? Regards, Salvatore
