tree 34463e613c259f8fb0d66b73733bc257a9b8dd12
parent 2aae055cf269ba076fce6480353358c71191a2cd
author DRC <information@libjpeg-turbo.org> 1624027563 -0500
committer DRC <information@libjpeg-turbo.org> 1624030131 -0500

ChangeLog.md: List CVE ID fixed by c76f4a08

Referring to #527, the security community did not assign this CVE ID
until more than 8 months after the fix for the issue was released.  By
the time they assigned the ID, libjpeg-turbo already had two production
releases containing the fix.  This calls into question the usefulness of
assigning a CVE ID to the issue, particularly given that the buffer
overrun in question was fully contained in the stack, not detectable
with valgrind, and confined to lossless transformation (it did not
affect JPEG compression or decompression.)

https://vuldb.com/?id.176175
says that "the exploitability is told to be easy" but provides no
clarification, and given that the author of that page does not seem to
be aware that a fix for the issue has been available since early
December of 2019, it calls into question the accuracy of everything else
on the page.

It would really be nice if the security community approached me about
these things before wasting my time, but I guess it's my lot in life to
modify a change log entry from 2019 to include a CVE ID from 2020.

So it goes...