Hi there. I am Heewon, and I am writing to you regarding the recent vulnerabilities that our security team identified in Hugin. I appreciate your prompt attention to these matters, and I am pleased that the vulnerabilities have been confirmed and successfully patched by your development team.
To provide a standardized reference for these vulnerabilities within the cybersecurity community, we would like to request the assignment of Common Vulnerabilities and Exposures (CVE) identifiers. These identifiers will help streamline communication and information sharing among security professionals. Below is a brief summary of the vulnerabilities along with the relevant details: ### CVE-2023-XXX1: [Description of Vulnerability 1] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: https://bugs.launchpad.net/hugin/+bug/2025032 ### CVE-2023-XXX2: [Description of Vulnerability 2] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)5 ### CVE-2023-XXX3: [Description of Vulnerability 3] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)6 ### CVE-2023-XXX4: [Description of Vulnerability 4] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)7 ### CVE-2023-XXX5: [Description of Vulnerability 5] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)8 We kindly request that you forward this information to the appropriate party responsible for CVE assignments within your organization. If your organization has a designated CVE Numbering Authority (CNA), please let us know the preferred process for CVE assignment. Additionally, we have submitted the same request to MITRE Corporation and CERT/CC, the primary CVE Numbering Authority, for their consideration. However, CERT/CC asked us to refer to you for CVE assignments. Please work on this case and let us know which steps to take. Thank you for your cooperation and commitment to addressing security issues promptly. If you require any further information or clarification, please do not hesitate to reach out. We look forward to continuing a collaborative approach to enhancing the security of Hugin and appreciate your ongoing dedication to the security and well-being of your users. -- You received this bug notification because you are a member of Hugin Bug Hunters, which is subscribed to Hugin. https://bugs.launchpad.net/bugs/2025036 Title: NULL pointer defererence error in HuginBase::ImageVariable<double>::linkWith Status in Hugin: Fix Released Bug description: Hi there We just want to share that the latest version (2022.0.0) of pto_merge causes null pointer error. Here is the output of program with address sanitizer attached. ### Bug Report AddressSanitizer:DEADLYSIGNAL ================================================================= ==3844==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f1d38983b07 bp 0x7fff493bd1f0 sp 0x7fff493b6920 T0) ==3844==The signal is caused by a READ memory access. ==3844==Hint: address points to the zero page. #0 0x7f1d38983b06 in bool std::operator==<std::vector<double, std::allocator<double> >, std::vector<double, std::allocator<double> > >(std::shared_ptr<std::vector<double, std::allocator<double> > > const&, std::shared_ptr<std::vector<double, std::allocator<double> > > const&) /usr/include/c++/9/bits/shared_ptr.h:384 #1 0x7f1d38983b06 in HuginBase::ImageVariable<std::vector<double, std::allocator<double> > >::linkWith(HuginBase::ImageVariable<std::vector<double, std::allocator<double> > >*) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/ImageVariable.h:184 #2 0x7f1d38983b06 in HuginBase::BaseSrcPanoImage::linkRadialDistortion(HuginBase::BaseSrcPanoImage*) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:93 #3 0x7f1d38983b06 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:93 #4 0x7f1d389a6618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178 #5 0x56488e0f5975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99 #6 0x7f1d3609a082 in __libc_start_main ../csu/libc-start.c:308 #7 0x56488e0f6c5d in _start (/home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge+0xbc5d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/shared_ptr.h:384 in bool std::operator==<std::vector<double, std::allocator<double> >, std::vector<double, std::allocator<double> > >(std::shared_ptr<std::vector<double, std::allocator<double> > > const&, std::shared_ptr<std::vector<double, std::allocator<double> > > const&) ==3844==ABORTING ### Envionment OS: Ubuntu 20.04.5 LTS x86_64 Release: hugin 2022.0.0 Program: pto_merge libhuginbase: 2020.0.0 (retrieved and compiled from source code) libpano13: 2.9.19 To reproduce the problem, we need to build hugin: sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" .. ### How to reproduce $ pto_merge poc-file *.jpg (*.jpg any name of jpg file including asterisk(*)) poc-file is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/hugin/+bug/2025036/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~hugin-bug-hunters Post to : hugin-bug-hunters@lists.launchpad.net Unsubscribe : https://launchpad.net/~hugin-bug-hunters More help : https://help.launchpad.net/ListHelp