Potential Vulnerability in Cloned Code#21504
Conversation
|
Hi @dpiparo, sorry for the duplicated PRs. That was a mistake on our side. Thanks for the heads-up. Closed the PR. |
|
It's me who thanks you. I appreciate your approach. this PR is good, I reopened it. One of the ones I was referring to is, for example, #21420, that looks like a hiccup in a script automating some procedure. |
|
/backport to 6.38, 6.36, 6.32, 6.30, 6.28, 6.26 |
|
Thank you for the kind words, @dpiparo. Since some of our previous PRs had already been merged, I assumed this one was a duplicate and closed it right away. You are correct that there was a defect in the automation script, and we will fix it soon. Since the PR has now been merged, may I ask whether you have any concerns about us submitting this as a CVE? |
|
Could we please perhaps discuss over email the matter? The address is on our security policy https://github.com/root-project/root?tab=security-ov-file |
|
/backport to 6.36, 6.32, 6.30, 6.28, 6.26 |
|
/backport to 6.32, 6.30, 6.28, 6.26 |
|
This PR has been backported to
|
5 participants
Summary
Our tool detected a potential vulnerability in graf2d/asimage/src/libAfterImage/libjpeg/jdpostct.c which was cloned from libjpeg-turbo/libjpeg-turbo but did not receive the security patch applied. The original issue was reported and fixed under https://nvd.nist.gov/vuln/detail/cve-2017-15232.
Proposed Fix
Apply the same patch as the one in libjpeg-turbo/libjpeg-turbo to eliminate the vulnerability.
Reference
https://nvd.nist.gov/vuln/detail/cve-2017-15232
libjpeg-turbo/libjpeg-turbo@1ecd9a5