Debian Bug report logs - #797165
CVE-2015-0852: integer overflow in PluginPCX.cpp

version graph

Package: src:freeimage; Maintainer for src:freeimage is Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>;

Reported by: Raphael Hertzog <hertzog@debian.org>

Date: Fri, 28 Aug 2015 08:33:02 UTC

Severity: serious

Tags: fixed-upstream, patch, security, upstream

Found in version freeimage/3.10.0-4

Fixed in versions freeimage/3.15.4-5, freeimage/3.15.4-4.2, freeimage/3.15.1-1.1

Done: Anton Gladky <gladk@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Fri, 28 Aug 2015 08:33:06 GMT) (full text, mbox, link).


Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>. (Fri, 28 Aug 2015 08:33:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2015-0852: integer overflow in PluginPCX.cpp
Date: Fri, 28 Aug 2015 10:29:28 +0200
Source: freeimage
Version: 3.10.0-4
Severity: serious
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for freeimage.

CVE-2015-0852[0]:
Integer overflow in PluginPCX.cpp

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-0852
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852
    https://marc.info/?l=oss-security&m=144073280200732&w=2
    Please adjust the affected versions in the BTS as needed.

BTW upstream patches are available but they are not minimal patches:
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN
http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.18&r2=1.19&pathrev=MAIN

Hopefully one the of the people who will discover this RC bug (because
their package depends on freeimage or whatever) can be convinced to take
over this package... it has been orphaned for way too long.

Note that the package has another pending security issue (#786790).

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Mon, 14 Sep 2015 08:39:29 GMT) (full text, mbox, link).


Acknowledgement sent to "W. Martin Borgert" <debacle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Mon, 14 Sep 2015 08:39:29 GMT) (full text, mbox, link).


Message #10 received at 797165@bugs.debian.org (full text, mbox, reply):

From: "W. Martin Borgert" <debacle@debian.org>
To: 797165@bugs.debian.org, control@bugs.debian.org
Cc: Raphael Hertzog <hertzog@debian.org>
Subject: CVE-2015-0852: integer overflow in PluginPCX.cpp
Date: Mon, 14 Sep 2015 10:35:08 +0200
[Message part 1 (text/plain, inline)]
tags 797165 +patch
thanks

Could someone please check attached patch? Thanks.
[fix_integer_overflow.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from "W. Martin Borgert" <debacle@debian.org> to control@bugs.debian.org. (Mon, 14 Sep 2015 08:39:31 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Mon, 14 Sep 2015 17:36:08 GMT) (full text, mbox, link).


Acknowledgement sent to Scott Howard <showard314@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Mon, 14 Sep 2015 17:36:08 GMT) (full text, mbox, link).


Message #17 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Scott Howard <showard314@gmail.com>
To: 797165@bugs.debian.org
Subject: freeimage: fixing CVE hints
Date: Mon, 14 Sep 2015 13:33:48 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello - Freeimage > 1.5.4 (that is, the current sid version) requires
OpenJPEG 2.1.0, which is not in Debian. I wasted some time trying to
make freeimage 1.7 work with openjpeg 1.5, but it's taking a bit too
much time. At this moment, the best course of action may be to simply
carry the new patches Raphael pointed out rather than updating
freeimage then working to remove openjpeg 2.1 support. Just a hint, if
you're ambitious, please don't let my comment stop you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV9wT8AAoJEI7QYGkDfiTykTIP/2+mXufK8+v5FwaaYrC9DqUA
dLIpLu8BzXvFNi7fxKSdeQ7TpccIUcRZPlijrSNC93spZgNmsfR98xtmUAcSC3W9
QqrUSSZOOr6Rn5vdWpHRpVZS2wYICnzGLX5AmPh+LpLXImAoWbu28d2vsU6GMAsN
qWcH7NGuu/37iH5oMxBUuJ9y1Bgd7HruOl80O9SN+M9b90XxTiFIN2nCKAhtZxgv
8wldA2jCTgWX7mOW5Xd/mz0s+JJzlUiDjTj9xadSyrXSgR0JEE86mpCHs5uqJUZQ
Ngje4+SffS2Z/PIycP3uv855N/nrinEMejHDaQ1o/GFIk4fymImZ6yB90Z2buU0y
oKpVN0iaRcmGZcHycuBrGgvB6ev9wIlD4rzPlhHWFUJ9Kyadt8Gud6AfCAEDLF7n
99TvK86y2xL8pwj0RLqB3Yf0YV/Fp+5HZuG+qBgcJH8c9GGx9ZHhmzuboFJS/xTD
L+4hJYYxiHP1n1uJ7NUN3ReOx4OmIJRHRwck5qfJCVMv+tQU+zHQ4H40/vfip07u
j4dTz+t+TudWohHu2i7Fo5cFKE3Ec7n8bRYLHdp4nhn2d+3LSr27RER64fae8PWv
PSmYsv7YumjhnqrETQrpmugqJziJnAA0VFW1OYQEZl/UQtXf5B75TDt9y27kEJ4H
mLbU4ErFThcRv/rMNQDV
=ojF1
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Tue, 15 Sep 2015 21:21:23 GMT) (full text, mbox, link).


Acknowledgement sent to Anton Gladky <gladk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Tue, 15 Sep 2015 21:21:23 GMT) (full text, mbox, link).


Message #22 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>
To: 797165@bugs.debian.org, Control bugs server <control@bugs.debian.org>
Cc: Scott Howard <showard314@gmail.com>, "W. Martin Borgert" <debacle@debian.org>
Subject: Uploaded to delay/2
Date: Tue, 15 Sep 2015 23:02:25 +0200
[Message part 1 (text/plain, inline)]
tags 797165 +pending
thanks

Dear all,

I have prepared an NMU with the patch, provided by
W. Martin Borgert based on 2 commits in svn
of upstream into DELAYED/2. See debdiff in attachment.

Please fell free to tell me if I should delay it longer, drop it
or reschedule.

Best regards

Anton
[nmu.debdiff (application/octet-stream, attachment)]

Added tag(s) pending. Request was from Anton Gladky <gladk@debian.org> to control@bugs.debian.org. (Tue, 15 Sep 2015 21:21:54 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Wed, 16 Sep 2015 09:21:07 GMT) (full text, mbox, link).


Acknowledgement sent to Ghislain Vaillant <ghisvail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 16 Sep 2015 09:21:07 GMT) (full text, mbox, link).


Message #29 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Ghislain Vaillant <ghisvail@gmail.com>
To: 797165@bugs.debian.org
Subject: moving forward
Date: Wed, 16 Sep 2015 10:17:31 +0100
Hello everyone,

From Raphael:
> Hopefully one the of the people who will discover this RC bug 
(because their package depends on freeimage or whatever) can be 
convinced to take over this package... it has been orphaned for way too 
long.

I am one such package maintainers (ArrayFire) affected by the autorm of 
freeimage. Also, other projects I am involved with do use freeimage. I 
may consider taking over the maintenance of freeimage under d-science 
but want to evaluate the amount of efforts that would require first.

From Scott:
> Freeimage > 1.5.4 (that is, the current sid version) requires 
OpenJPEG 2.1.0, which is not in Debian.

> At this moment, the best course of action may be to simply carry the 
new patches Raphael pointed out rather than updating freeimage then 
working to remove openjpeg 2.1 support.

Which you hinted to be a non-trivial task, isn't it? Would it make 
things easier if OpenJPEG was updated to 2.1.0 in Debian? I guess it 
would be a requirement for a potential update of freeimage to 3.17 onwards?

Just trying to define what the "ideal" course of actions should be. I 
understand the latter is currently far from reality.

Best regards,
Ghislain



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Wed, 16 Sep 2015 11:06:34 GMT) (full text, mbox, link).


Acknowledgement sent to Andreas Beckmann <andreas@abeckmann.de>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 16 Sep 2015 11:06:34 GMT) (full text, mbox, link).


Message #34 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <andreas@abeckmann.de>
To: 797165@bugs.debian.org, Anton Gladky <gladk@debian.org>
Subject: Re: Uploaded to delay/2
Date: Wed, 16 Sep 2015 12:47:53 +0200
On Tue, 15 Sep 2015 23:02:25 +0200 Anton Gladky <gladk@debian.org> wrote:
> I have prepared an NMU with the patch, provided by
> W. Martin Borgert based on 2 commits in svn
> of upstream into DELAYED/2. See debdiff in attachment.

You should make a proper QA upload instead of a NMU since the package is
orphaned.


Andreas



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Wed, 16 Sep 2015 19:27:04 GMT) (full text, mbox, link).


Acknowledgement sent to Anton Gladky <gladk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 16 Sep 2015 19:27:04 GMT) (full text, mbox, link).


Message #39 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>
To: Andreas Beckmann <andreas@abeckmann.de>
Cc: 797165@bugs.debian.org
Subject: Re: Uploaded to delay/2
Date: Wed, 16 Sep 2015 21:24:28 +0200
[Message part 1 (text/plain, inline)]
Ok, thanks for the note. Reuploaded.

Anton


2015-09-16 12:47 GMT+02:00 Andreas Beckmann <andreas@abeckmann.de>:
> You should make a proper QA upload instead of a NMU since the package is
> orphaned.
[qa.debdiff (application/octet-stream, attachment)]

Reply sent to debacle@debian.org (W. Martin Borgert):
You have taken responsibility. (Fri, 18 Sep 2015 19:54:13 GMT) (full text, mbox, link).


Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Fri, 18 Sep 2015 19:54:13 GMT) (full text, mbox, link).


Message #44 received at 797165-close@bugs.debian.org (full text, mbox, reply):

From: debacle@debian.org (W. Martin Borgert)
To: 797165-close@bugs.debian.org
Subject: Bug#797165: fixed in freeimage 3.15.4-5
Date: Fri, 18 Sep 2015 19:50:37 +0000
Source: freeimage
Source-Version: 3.15.4-5

We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
W. Martin Borgert <debacle@debian.org> (supplier of updated freeimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Sep 2015 22:50:49 +0200
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source
Version: 3.15.4-5
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: W. Martin Borgert <debacle@debian.org>
Description:
 libfreeimage-dev - Support library for graphics image formats (development files)
 libfreeimage3 - Support library for graphics image formats (library)
 libfreeimage3-dbg - Support library for graphics image formats (debugging symbols)
Closes: 797165
Changes:
 freeimage (3.15.4-5) unstable; urgency=medium
 .
   [ W. Martin Borgert ]
   * QA upload.
   * [e807e1c] Fix integer overflow. (Closes: #797165)
Checksums-Sha1:
 9a3d187e315da299918aab1e73137d7a7228d0dd 2140 freeimage_3.15.4-5.dsc
 f3db0ed1c0f3f5b2173dbe8ca666c0edef3f7107 33224 freeimage_3.15.4-5.debian.tar.xz
Checksums-Sha256:
 dcd5904b934f84cccdb5818a680662914918c76f5697db926f3c06d1faf6186a 2140 freeimage_3.15.4-5.dsc
 1670d7bb031427cd1392bf197bb92c08fe3b1cf822c2afd42938807f2580aa5c 33224 freeimage_3.15.4-5.debian.tar.xz
Files:
 ce8cbfe9aa8034d4a5086648ed2e31bd 2140 libs optional freeimage_3.15.4-5.dsc
 df3d35dd419158482f7b6757208a1d39 33224 libs optional freeimage_3.15.4-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJV+cFvAAoJENPhc4PPp/8GV7UQAIiPdVkEYezwY8K/iE919Kr8
CGBzYblbwinm0CkAWk8+CHCqncIsi/4VbpNZCB0WYgNGcVHjDBzSiegoZzlEa6/x
IaXJtK1KRSMWGhlmFgYuqJCi+icc62fKD5TnfpVXCK/lHfpKGPh24PsEuKQbtvLC
20FRiaWXtj+2zCm6XoI1ptjbQXrcUZxgUuGzLuncSZYRJ499gI/Xfjvj/4WGDZbL
x1ExB5GPq/OrZ8saXSaP2xpby118iQDf+8w6zQwoxd7xuUn36in85/dm6OcdP1Au
OFDevZOByjOERyOtcjLGeDPgd8L14Afeph7ik2HUQfErVZCOj0mo4wfm4C+Wh1d8
CoFRKGjKODgTEKzqo+BWgqF6uff/Xm//rYi9r4gMDFrbJMzr34aG9JXO9WWKFTLH
Q6TEimDDutz7bm2RrzgC2tzyTu0Nrniphh6KV/dfKjMrpYtppTIil0rl8ncGRtio
5+XgGKaaZcPRUI/y5m1XdtpAJA1nZqEgmDcoBY8ajWlQ3P9yQFpxdtDpuRdbb28w
eLy7Oa8eXEx2Dr+XgWVZrQhgF07VN7G6CiCoz+MmOVoP3K5Uc8aQ7AWGQgeOGgPR
lbzMkSeaPolF55AGtG1Tu+RcApNxgFvlEiZhVx71OWlXixZLXrfXpKCeK4oWp1v5
kk0sW+CoNhibHFMNAbob
=qVsb
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Fri, 25 Sep 2015 20:09:04 GMT) (full text, mbox, link).


Acknowledgement sent to Anton Gladky <gladk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Fri, 25 Sep 2015 20:09:04 GMT) (full text, mbox, link).


Message #49 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>
To: Ghislain Vaillant <ghisvail@gmail.com>, 797165@bugs.debian.org
Subject: Re: Bug#797165: moving forward
Date: Fri, 25 Sep 2015 22:04:55 +0200
Hi Ghislain,

I made the previous upload of freeimage to fix RC-bug and
had the same idea to adopt freeimage under Debian-Science.

As far as I understand openjpeg is already in Debian [1].

So, let`s do it?

[1] https://tracker.debian.org/pkg/openjpeg2

Cheers

Anton


2015-09-16 11:17 GMT+02:00 Ghislain Vaillant <ghisvail@gmail.com>:
> Hello everyone,
>
> From Raphael:
>> Hopefully one the of the people who will discover this RC bug (because
>> their package depends on freeimage or whatever) can be convinced to take
>> over this package... it has been orphaned for way too long.
>
> I am one such package maintainers (ArrayFire) affected by the autorm of
> freeimage. Also, other projects I am involved with do use freeimage. I may
> consider taking over the maintenance of freeimage under d-science but want
> to evaluate the amount of efforts that would require first.
>
> From Scott:
>> Freeimage > 1.5.4 (that is, the current sid version) requires OpenJPEG
>> 2.1.0, which is not in Debian.
>
>> At this moment, the best course of action may be to simply carry the new
>> patches Raphael pointed out rather than updating freeimage then working to
>> remove openjpeg 2.1 support.
>
> Which you hinted to be a non-trivial task, isn't it? Would it make things
> easier if OpenJPEG was updated to 2.1.0 in Debian? I guess it would be a
> requirement for a potential update of freeimage to 3.17 onwards?
>
> Just trying to define what the "ideal" course of actions should be. I
> understand the latter is currently far from reality.
>
> Best regards,
> Ghislain
>
> --
> To unsubscribe, send mail to 797165-unsubscribe@bugs.debian.org.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Sat, 26 Sep 2015 10:18:03 GMT) (full text, mbox, link).


Acknowledgement sent to Ghislain Vaillant <ghisvail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sat, 26 Sep 2015 10:18:03 GMT) (full text, mbox, link).


Message #54 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Ghislain Vaillant <ghisvail@gmail.com>
To: Anton Gladky <gladk@debian.org>, 797165@bugs.debian.org
Subject: Re: Bug#797165: ITA bug for freeimage?
Date: Sat, 26 Sep 2015 11:15:29 +0100
Absolutely!

Shall I file an ITA for freeimage and begin transitioning the packaging 
repository to d-science?

Ghis


On 25/09/15 21:04, Anton Gladky wrote:
> Hi Ghislain,
>
> I made the previous upload of freeimage to fix RC-bug and
> had the same idea to adopt freeimage under Debian-Science.
>
> As far as I understand openjpeg is already in Debian [1].
>
> So, let`s do it?
>
> [1] https://tracker.debian.org/pkg/openjpeg2
>
> Cheers
>
> Anton
>
>
> 2015-09-16 11:17 GMT+02:00 Ghislain Vaillant <ghisvail@gmail.com>:
>> Hello everyone,
>>
>>  From Raphael:
>>> Hopefully one the of the people who will discover this RC bug (because
>>> their package depends on freeimage or whatever) can be convinced to take
>>> over this package... it has been orphaned for way too long.
>>
>> I am one such package maintainers (ArrayFire) affected by the autorm of
>> freeimage. Also, other projects I am involved with do use freeimage. I may
>> consider taking over the maintenance of freeimage under d-science but want
>> to evaluate the amount of efforts that would require first.
>>
>>  From Scott:
>>> Freeimage > 1.5.4 (that is, the current sid version) requires OpenJPEG
>>> 2.1.0, which is not in Debian.
>>
>>> At this moment, the best course of action may be to simply carry the new
>>> patches Raphael pointed out rather than updating freeimage then working to
>>> remove openjpeg 2.1 support.
>>
>> Which you hinted to be a non-trivial task, isn't it? Would it make things
>> easier if OpenJPEG was updated to 2.1.0 in Debian? I guess it would be a
>> requirement for a potential update of freeimage to 3.17 onwards?
>>
>> Just trying to define what the "ideal" course of actions should be. I
>> understand the latter is currently far from reality.
>>
>> Best regards,
>> Ghislain
>>
>> --
>> To unsubscribe, send mail to 797165-unsubscribe@bugs.debian.org.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Sat, 26 Sep 2015 11:45:03 GMT) (full text, mbox, link).


Acknowledgement sent to Anton Gladky <gladk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Sat, 26 Sep 2015 11:45:03 GMT) (full text, mbox, link).


Message #59 received at 797165@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>
To: Ghislain Vaillant <ghisvail@gmail.com>
Cc: "797165@bugs.debian.org" <797165@bugs.debian.org>
Subject: Re: Bug#797165: ITA bug for freeimage?
Date: Sat, 26 Sep 2015 13:42:15 +0200
[Message part 1 (text/plain, inline)]
Sure. I think you can just retitle an existing
Orphan-bug and close it by next upload.

Regards

Anton

Am Samstag, 26. September 2015 schrieb Ghislain Vaillant :

> Absolutely!
>
> Shall I file an ITA for freeimage and begin transitioning the packaging
> repository to d-science?
>
> Ghis
>
>
> On 25/09/15 21:04, Anton Gladky wrote:
>
>> Hi Ghislain,
>>
>> I made the previous upload of freeimage to fix RC-bug and
>> had the same idea to adopt freeimage under Debian-Science.
>>
>> As far as I understand openjpeg is already in Debian [1].
>>
>> So, let`s do it?
>>
>> [1] https://tracker.debian.org/pkg/openjpeg2
>>
>> Cheers
>>
>> Anton
>>
>>
>> 2015-09-16 11:17 GMT+02:00 Ghislain Vaillant <ghisvail@gmail.com>:
>>
>>> Hello everyone,
>>>
>>>  From Raphael:
>>>
>>>> Hopefully one the of the people who will discover this RC bug (because
>>>> their package depends on freeimage or whatever) can be convinced to take
>>>> over this package... it has been orphaned for way too long.
>>>>
>>>
>>> I am one such package maintainers (ArrayFire) affected by the autorm of
>>> freeimage. Also, other projects I am involved with do use freeimage. I
>>> may
>>> consider taking over the maintenance of freeimage under d-science but
>>> want
>>> to evaluate the amount of efforts that would require first.
>>>
>>>  From Scott:
>>>
>>>> Freeimage > 1.5.4 (that is, the current sid version) requires OpenJPEG
>>>> 2.1.0, which is not in Debian.
>>>>
>>>
>>> At this moment, the best course of action may be to simply carry the new
>>>> patches Raphael pointed out rather than updating freeimage then working
>>>> to
>>>> remove openjpeg 2.1 support.
>>>>
>>>
>>> Which you hinted to be a non-trivial task, isn't it? Would it make things
>>> easier if OpenJPEG was updated to 2.1.0 in Debian? I guess it would be a
>>> requirement for a potential update of freeimage to 3.17 onwards?
>>>
>>> Just trying to define what the "ideal" course of actions should be. I
>>> understand the latter is currently far from reality.
>>>
>>> Best regards,
>>> Ghislain
>>>
>>> --
>>> To unsubscribe, send mail to 797165-unsubscribe@bugs.debian.org.
>>>
>>

-- 

Anton
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#797165; Package src:freeimage. (Wed, 28 Oct 2015 13:36:06 GMT) (full text, mbox, link).


Acknowledgement sent to "Interfax" <incoming@interfax.net>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>. (Wed, 28 Oct 2015 13:36:06 GMT) (full text, mbox, link).


Message #64 received at 797165@bugs.debian.org (full text, mbox, reply):

From: "Interfax" <incoming@interfax.net>
To: 797165@bugs.debian.org
Subject: You have 1 new fax, document 00000294598
Date: Wed, 28 Oct 2015 13:00:29 +0000
[Message part 1 (text/plain, inline)]
A new fax document for you.

Please, download fax document attached to this email.

Scanned by:           Timothy Dempsey
Scan time:            43 seconds
Filesize:             154 Kb
Resolution:           500 DPI
Number of pages:      4
Date:                 Wed, 28 Oct 2015 13:41:52 +0300
Fax name:             document_00000294598.doc

Thanks for choosing Interfax!

[document_00000294598.zip (application/zip, attachment)]

Reply sent to Anton Gladky <gladk@debian.org>:
You have taken responsibility. (Thu, 05 Nov 2015 15:57:23 GMT) (full text, mbox, link).


Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Thu, 05 Nov 2015 15:57:24 GMT) (full text, mbox, link).


Message #69 received at 797165-close@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>
To: 797165-close@bugs.debian.org
Subject: Bug#797165: fixed in freeimage 3.15.4-4.2
Date: Thu, 05 Nov 2015 15:47:06 +0000
Source: freeimage
Source-Version: 3.15.4-4.2

We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated freeimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Oct 2015 19:06:00 +0100
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source amd64
Version: 3.15.4-4.2
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Description:
 libfreeimage-dev - Support library for graphics image formats (development files)
 libfreeimage3 - Support library for graphics image formats (library)
 libfreeimage3-dbg - Support library for graphics image formats (debugging symbols)
Closes: 797165
Changes:
 freeimage (3.15.4-4.2) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix integer overflow CVE-2015-0852. (Closes: #797165)
Checksums-Sha1:
 225e05320a094e6dbafbf42b06511ad8e71be13a 2148 freeimage_3.15.4-4.2.dsc
 0a33537e32ad9bd4cf7b151a32de96905da27d3e 5768019 freeimage_3.15.4.orig.tar.gz
 2cea5d75edc83d45b5a5fc02d1f55d73f625e5c6 33180 freeimage_3.15.4-4.2.debian.tar.xz
 31dda33dc10d70c699ac75d37e4353291d7f5990 1221574 libfreeimage-dev_3.15.4-4.2_amd64.deb
 5319c82552ca7218ae7091a426a1f1cd3e815c4e 331912 libfreeimage3_3.15.4-4.2_amd64.deb
 bbdcd888c157ec11c0dc69ba2a6e2470749a45b7 1197708 libfreeimage3-dbg_3.15.4-4.2_amd64.deb
Checksums-Sha256:
 b876349b674acf74690be2efeaa8ba3ce033e4d134f02f127a658473c3cce205 2148 freeimage_3.15.4-4.2.dsc
 f85b43e8bffda2b26b15a2d09242a77dd08ba17d7207ec2f18278163a29565d9 5768019 freeimage_3.15.4.orig.tar.gz
 d17b6f1608669d60524e09bda31c57ef280601587f4406739b002613698487d5 33180 freeimage_3.15.4-4.2.debian.tar.xz
 1b62ca0d74177937a9b6cb5ad184f694c6200bce6241881bbefd8d92f90fe03a 1221574 libfreeimage-dev_3.15.4-4.2_amd64.deb
 522d47bfc66bbf8d79d027dcc74b86f6a78ccfd81c380b35fb1ee7a97799140b 331912 libfreeimage3_3.15.4-4.2_amd64.deb
 870b2436906b1cc464c133a9a630798f865e7d4d7aeeb479f28272e23471b08b 1197708 libfreeimage3-dbg_3.15.4-4.2_amd64.deb
Files:
 d7f4b7d708f223696ed947fa11d579c5 2148 libs optional freeimage_3.15.4-4.2.dsc
 a1164eb85ab51bda023328ec740a5679 5768019 libs optional freeimage_3.15.4.orig.tar.gz
 a326c3ce39d51fd0b244188a7f038a02 33180 libs optional freeimage_3.15.4-4.2.debian.tar.xz
 107cd51e606f3c6a600777b1c0a1b991 1221574 libdevel optional libfreeimage-dev_3.15.4-4.2_amd64.deb
 2fbc252cd6482eb7456604aba8382e81 331912 libs optional libfreeimage3_3.15.4-4.2_amd64.deb
 d8a9d8bc42eb6684bc83c635e39a2d84 1197708 debug extra libfreeimage3-dbg_3.15.4-4.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWMo0zAAoJENPhc4PPp/8Gh4oP/3XQHQHGYhfQPN/uFaM11Hzo
6yrBC8YmkSs8js9RMRCUJIV0gbQ+rhr0tC8RriHcSTLYyF2TmJhjAa+NoklU2YPJ
zrL9iBTh1Ch/neksJGO3uoA7XS4L0E/btVbRbhOd3XD5T2AXB24EuisoEDEikG7A
kHlEQZgpPE/+Ex72dUTHQG6wYwB/ByrTm/6X4JiF/6IFJhP9eU49sSxfe1SIvzye
SM9FQV4F8hXAzTwgYpsi1i3GAbd2fcGZv5LsXZ6+uiI/51oGvAsYJP6dA+FTM8h4
MLXH+ZrOAjTJIC3tepdGT7KNT7eqPAFMkJPd1SCbxWfuVhYBs5tx9HPdwOEpyvB/
IVAprpco5L3Y4MDwjgtVPxhZ/ogSaFoCeF63ZRL2Chq00aQmUu0sekukaqZRtPgG
g4rZOWwIWxXrv2VPAaOdZX2bUAxcR1pdLP0EKXJ7Xs97QyxjSOU7la7K2gfvAn6a
HLQk9zuqDjJpLXwApxbSuyc4mveDeujtCX0PHxunlp2Bkf8VjSjrbsyI3I87nJKr
SjX6icE7E48dQPlY0rdKADWMZiXvCZbjVz1bqOhAfcvLYwlYahXaxEqOBcpxu4ID
Kj2XGMAJuaezFPxI+RPT2OfL/VFLooV1mgFr/EHbSSAh2JRwSFZVXR41ReH9y/Kj
Nv8vttnNg6/chZ8DsdVm
=1LZU
-----END PGP SIGNATURE-----




Reply sent to Anton Gladky <gladk@debian.org>:
You have taken responsibility. (Fri, 06 Nov 2015 09:36:07 GMT) (full text, mbox, link).


Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Fri, 06 Nov 2015 09:36:07 GMT) (full text, mbox, link).


Message #74 received at 797165-close@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>
To: 797165-close@bugs.debian.org
Subject: Bug#797165: fixed in freeimage 3.15.1-1.1
Date: Fri, 06 Nov 2015 09:32:56 +0000
Source: freeimage
Source-Version: 3.15.1-1.1

We believe that the bug you reported is fixed in the latest version of
freeimage, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797165@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated freeimage package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 29 Oct 2015 22:33:32 +0100
Source: freeimage
Binary: libfreeimage-dev libfreeimage3 libfreeimage3-dbg
Architecture: source amd64
Version: 3.15.1-1.1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Description: 
 libfreeimage-dev - Support library for graphics image formats (development files)
 libfreeimage3 - Support library for graphics image formats (library)
 libfreeimage3-dbg - Support library for graphics image formats (debugging symbols)
Closes: 797165
Changes: 
 freeimage (3.15.1-1.1) wheezy-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix integer overflow CVE-2015-0852. (Closes: #797165)
Checksums-Sha1: 
 a9c206f0eb2dd894c34fc537a2f6ca23c3dad4e5 2135 freeimage_3.15.1-1.1.dsc
 5a56c590c433ff2573320e7288b194ee617f1de9 5242162 freeimage_3.15.1.orig.tar.gz
 c528ca5f5314214142b46bb7ded8734366cf749e 17812 freeimage_3.15.1-1.1.debian.tar.gz
 d1c619e5bdb529bc0332fd4f4e7ceb81ef236dc8 2015470 libfreeimage-dev_3.15.1-1.1_amd64.deb
 547a244e643667a9be3b7d725876ddcb8361773c 837078 libfreeimage3_3.15.1-1.1_amd64.deb
 4a85b0c7454433c049b4f080aa69b6a81ce3a69b 2939862 libfreeimage3-dbg_3.15.1-1.1_amd64.deb
Checksums-Sha256: 
 450fd366dad5bd3170fdb2ffa9c779a7a9e39d65dca89c3c8d3ca1a8da242f67 2135 freeimage_3.15.1-1.1.dsc
 023b242dfe19d1fce328165b78a7fada6ed29718feba38b26760d21f36c79408 5242162 freeimage_3.15.1.orig.tar.gz
 05fdcd5577bb30487ad7b5e38e24b1e87fb2e8a5db8f8088c7c93543cf92e36a 17812 freeimage_3.15.1-1.1.debian.tar.gz
 eadc4c6df17d1a24946787dc84d17d0fc354b4a2159300699f68bea83b336969 2015470 libfreeimage-dev_3.15.1-1.1_amd64.deb
 1c821aad7a9f58002daefcd4b9386f8a8f1bf027e97fb3ab902ce87d5eeabba4 837078 libfreeimage3_3.15.1-1.1_amd64.deb
 a4af9b3b23bb34edae9474de284156b912a159c355b908769c77f4bb61798ae4 2939862 libfreeimage3-dbg_3.15.1-1.1_amd64.deb
Files: 
 b8cbe939e31479ca5af0e065414cb24c 2135 libs optional freeimage_3.15.1-1.1.dsc
 676378ed0c2e53948c9e4e6c8cf6e699 5242162 libs optional freeimage_3.15.1.orig.tar.gz
 b1c5de5478d02d8aa1204008253c9260 17812 libs optional freeimage_3.15.1-1.1.debian.tar.gz
 fb7169338d838b683d8e42954214f720 2015470 libdevel optional libfreeimage-dev_3.15.1-1.1_amd64.deb
 a563a1d2b1fc93faf47853fdc623e6fa 837078 libs optional libfreeimage3_3.15.1-1.1_amd64.deb
 56d3307905b97517a04cccbb2972d5d7 2939862 debug extra libfreeimage3-dbg_3.15.1-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWMpIGAAoJENPhc4PPp/8GdioP+gM5/m2A+XI3WsNLR7DZz8nM
fyCy80E75MBfSVKu92ngzfyhuuLM7PsSkOpnzszHbJWDFd0p0qwxavCZSqzRY0MY
QVXmjcE2TFOkilyHoZIRqUxTnSau46D5bFRnrIdLoFdKOfaIcmUhr9ed2MBivRNS
Irp74//b3XfFNjXPfqcAeDrzDEkSa23tRe0AJxWLoyJqHilrcKtozWri/J3xKe7k
+ItvRYomBsjLPoRTcUcFnFp4uu4T9mAb/3n2x+bndO1mdPZgZhuBiJ6Vp6brSAV/
8iwthVgBIuAAbhDaI+iQWnmGIBYWxbn+5sfMIqjgDQFGCZB+xYXV6ABxHOMSCBlv
R1i4O+tlDLtGVyEPRB34gpM/USF32+3QnapWETGcJES8eaJFw6D1R0WdRiyu2NPU
tq8GcrniQJk7nUeihrev+vh26KwzWEWyXu83ugiBINQH5lzHjN/5J6ZBFiCGSVjE
w2BKDMf3Nwb4Jz80w5SzQvvQXPzldsLzZqmsnMDoX633FXYW2bvMsvF2yX1QVmFP
BAmFTB8c1Ho4RBss4RTj+xp2NtS8pj/O/2Mmb6ctW7tpKtPNB5nnqP7Esyg/rlrU
mZd/49a0TKDURI0vISts6J2hkl1LeDM7PR/ixy39h6eFzYriLv504PCog4m655Wo
pZKhZ4zT4bsZ8kCeBKL3
=oO1+
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 21 Feb 2016 07:40:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:35:14 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.