Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 939029 (CVE-2023-41484) - media-libs/cimg: memory leak
Summary: media-libs/cimg: memory leak
Status: UNCONFIRMED
Alias: CVE-2023-41484
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/eddieantonio/imgca...
Whiteboard: ~4 [ebuild/upstream]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-09-04 07:35 UTC by Filip Kobierski
Modified: 2025-03-23 09:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Kobierski 2024-09-04 07:35:25 UTC
An issue in cimg.eu Cimg Library v2.9.3 allows an attacker to obtain sensitive information via a crafted JPEG file.

I have created a PR fixing this:
https://github.com/gentoo/gentoo/pull/38411
Comment 1 Hans de Graaff gentoo-dev Security 2024-09-08 08:30:49 UTC
I see no references to this issue in the cimg repository. It looks like this was never reported there and we can't be sure if this is fixed somewhere.

Filip: you claim that your PR fixes this, can you explain how this is fixed?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-12-02 01:41:21 UTC
Ping, fkobi?
Comment 3 Filip Kobierski 2024-12-02 08:14:06 UTC
I'll admit, I was going by repology's CVE list
https://repology.org/project/cimg/cves
My PR was not fixing the issue within the code but dropping the effected version.

This was registered as an issue with imgcat which said that it's a problem
with cimg. I do not see the issue mentioned in cimg's repo...
I think this CVE is messy and I would be willing to close this bug.
There's no hard definition of what causes the bug, just a report of something
going wrong. If we don't know what's wrong how can we know it is fixed?
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2025-03-23 09:16:21 UTC
(In reply to Filip Kobierski from comment #3)
> This was registered as an issue with imgcat which said that it's a problem
> with cimg. I do not see the issue mentioned in cimg's repo...
> I think this CVE is messy and I would be willing to close this bug.
> There's no hard definition of what causes the bug, just a report of something
> going wrong. If we don't know what's wrong how can we know it is fixed?

The cimg person/people would be the people best able to figure out what's really wrong, if anything.