An issue in cimg.eu Cimg Library v2.9.3 allows an attacker to obtain sensitive information via a crafted JPEG file. I have created a PR fixing this: https://github.com/gentoo/gentoo/pull/38411
I see no references to this issue in the cimg repository. It looks like this was never reported there and we can't be sure if this is fixed somewhere. Filip: you claim that your PR fixes this, can you explain how this is fixed?
Ping, fkobi?
I'll admit, I was going by repology's CVE list https://repology.org/project/cimg/cves My PR was not fixing the issue within the code but dropping the effected version. This was registered as an issue with imgcat which said that it's a problem with cimg. I do not see the issue mentioned in cimg's repo... I think this CVE is messy and I would be willing to close this bug. There's no hard definition of what causes the bug, just a report of something going wrong. If we don't know what's wrong how can we know it is fixed?
(In reply to Filip Kobierski from comment #3) > This was registered as an issue with imgcat which said that it's a problem > with cimg. I do not see the issue mentioned in cimg's repo... > I think this CVE is messy and I would be willing to close this bug. > There's no hard definition of what causes the bug, just a report of something > going wrong. If we don't know what's wrong how can we know it is fixed? The cimg person/people would be the people best able to figure out what's really wrong, if anything.
