old
/
legacy-imlib2
3
0
Fork 4
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Request for CVE Assignment for Previously Fixed, Yet Still Vulnerable, Issues #20

New Issue
Closed
opened 2023-12-26 22:25:49 -08:00 by Heewon · 2 comments
Heewon commented 2023-12-26 22:25:49 -08:00
Copy Link

Hi I am Heewon and I am writing to bring to your attention four vulnerabilities that our security team recently identified in imlib2. Although these issues have been addressed in your latest updates, we have observed that prior versions remain susceptible to exploitation.

Our intent is to request Common Vulnerabilities and Exposures (CVE) identifiers for these vulnerabilities to ensure accurate and standardized communication within the cybersecurity community.
The vulnerabilities have already been fixed in your most recent releases, but the potential risk persists for users who have not yet updated to the latest versions.
Moreover, installing feh with the Debian-provided packages (imlib2 1.6.1 on Ubuntu 20.04.5 LTS and imlib2 1.7.4 on Ubuntu 22.04 LTS) via apt may lead to severe problems, which is common behavior to users.

Here is a brief summary of the identified vulnerabilities along with the pertinent details:

CVE-2023-XXX1: [Description of Vulnerability 1]

CVE-2023-XXX2: [Description of Vulnerability 2]

CVE-2023-XXX3: [Description of Vulnerability 3]

CVE-2023-XXX4: [Description of Vulnerability 4]

We believe that assigning CVEs to these vulnerabilities will serve as a valuable reference for users who may still be operating on earlier software versions. This information will aid in facilitating effective communication, understanding, and mitigation efforts across the security community.

We kindly request that you escalate this matter to the relevant department within your organization responsible for CVE assignments. If your organization follows a specific process for such requests, please provide guidance on the steps we should follow.

Understanding that you are committed to maintaining the security and integrity of your software, we appreciate your attention to this matter. Should you require any additional information or clarification, please do not hesitate to reach out.

Thank you for your cooperation, and we look forward to continued collaboration in enhancing the security of imlib2.

Hi I am Heewon and I am writing to bring to your attention four vulnerabilities that our security team recently identified in imlib2. Although these issues have been addressed in your latest updates, we have observed that prior versions remain susceptible to exploitation. Our intent is to request Common Vulnerabilities and Exposures (CVE) identifiers for these vulnerabilities to ensure accurate and standardized communication within the cybersecurity community. The vulnerabilities have already been fixed in your most recent releases, but the potential risk persists for users who have not yet updated to the latest versions. Moreover, installing feh with the Debian-provided packages (imlib2 1.6.1 on Ubuntu 20.04.5 LTS and imlib2 1.7.4 on Ubuntu 22.04 LTS) via apt may lead to severe problems, which is common behavior to users. Here is a brief summary of the identified vulnerabilities along with the pertinent details: CVE-2023-XXX1: [Description of Vulnerability 1] - Fixed in version 1.10.0 - Still vulnerable versions to 1.9.1 - url: https://github.com/derf/feh/issues/709 CVE-2023-XXX2: [Description of Vulnerability 2] - Fixed in version 1.10.0 - Still vulnerable versions to 1.9.1 - url: https://github.com/derf/feh/issues/710 CVE-2023-XXX3: [Description of Vulnerability 3] - Fixed in version 1.10.0 - Still vulnerable versions to 1.9.1 - url: [https://github.com/derf/feh/issues/711 CVE-2023-XXX4: [Description of Vulnerability 4] - Fixed in version 1.10.0 - Still vulnerable versions to 1.9.1 - url: [https://github.com/derf/feh/issues/712 We believe that assigning CVEs to these vulnerabilities will serve as a valuable reference for users who may still be operating on earlier software versions. This information will aid in facilitating effective communication, understanding, and mitigation efforts across the security community. We kindly request that you escalate this matter to the relevant department within your organization responsible for CVE assignments. If your organization follows a specific process for such requests, please provide guidance on the steps we should follow. Understanding that you are committed to maintaining the security and integrity of your software, we appreciate your attention to this matter. Should you require any additional information or clarification, please do not hesitate to reach out. Thank you for your cooperation, and we look forward to continued collaboration in enhancing the security of imlib2.
kw commented 2023-12-26 23:55:24 -08:00
Owner
Copy Link

Hello, and thanks for the bug report(s).

The issues are all caused by the TGA loader bug fixed by e9c09deb08 (included first in v1.10.0).

At least some of the bug descriptions are somewhat misleading. The problems are all caused by memory corruption due to an indexing bug in the tgaflip() function.
This memory corruption can probably manifest itself in countless interesting ways.

If distributions chose to ship imlib2 versions with known vulnerabilities there is not much we can do about it.

Hello, and thanks for the bug report(s). The issues are all caused by the TGA loader bug fixed by https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 (included first in v1.10.0). At least some of the bug descriptions are somewhat misleading. The problems are all caused by memory corruption due to an indexing bug in the tgaflip() function. This memory corruption can probably manifest itself in countless interesting ways. If distributions chose to ship imlib2 versions with known vulnerabilities there is not much we can do about it.
raster commented 2023-12-27 04:19:52 -08:00
Owner
Copy Link

as @kw said. rthis is fixed in 1.10 - the solution is to upgrade to 1.10. 1.9.1 by definition can NEVER be fixed as you cannot (or well never should - ever) modify an already released version silently without a new version number.

as such there is no system for handling CVE's here, there is little point doing anything. if a bug (security or otherwise) is brought to our attention and then is fixed - that's it - bug is fixed. upgrade to that release with the fix. that's what we do. nothing more. if someone wants to make a song and dance about it with VCE filings and paperwork and what not... that's up to them. :)

as @kw said. rthis is fixed in 1.10 - the solution is to upgrade to 1.10. 1.9.1 by definition can NEVER be fixed as you cannot (or well never should - ever) modify an already released version silently without a new version number. as such there is no system for handling CVE's here, there is little point doing anything. if a bug (security or otherwise) is brought to our attention and then is fixed - that's it - bug is fixed. upgrade to that release with the fix. that's what we do. nothing more. if someone wants to make a song and dance about it with VCE filings and paperwork and what not... that's up to them. :)
kw closed this issue 2024-01-02 10:21:38 -08:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: old/legacy-imlib2#20
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?