CVE-2019-12214

[Cyrille Bollu]

Hi openjpeg maintainers,

I'm contacting you regarding CVE-2019-12214 (https://www.cve.org/CVERecord?id=CVE-2019-12214).

I think it has been wrongly attributed to freeimage at the time of its discovery (https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/), and that we should update this CVE to list openjpeg has an affected configuration.

I've been part of a lengthy discussion about this issue with Debian LTS team (https://lists.debian.org/debian-lts/2024/04/msg00058.html) and the conclusion for now is that we would like to have your confirmation that the vulnerability reported in CVE-2019-12214 has been adressed in your code.

From what I've seen, the affected function j2k_read_ppm_v3 in file j2k.c has been removed in openjpeg 2.1.0. But, we would like confirmation that the out-of-bound vulnerability hasn't been re-introduced elsewhere at that time. Could you please give us some assurance for this? Don't be afraid to go technical if needed ;-)

Best regards,

Cyrille