[Urgent security issue] FreeImage arbitrary code execution vulnerability

Question

[Urgent security issue] FreeImage arbitrary code execution vulnerability

MissLavender-LQ opened this issue 2 months ago · comments

main 2 I think is the most important to point out

[CVE-2023-47994]
[CVE-2023-47992]

both of these can run arbitrary code one of them being from the BMP plugin
so I am assuming a person could get a user to load a malicious BMP or a file with a malicious bpm inside of it

Free Image should either be forked and fixed asap or abandoned for a different library

active project i could find that use freeimage
https://github.com/sirjuddington/SLADE
https://github.com/TrenchBroom/TrenchBroom
https://github.com/RetroPie/EmulationStation
https://github.com/MonoGame/MonoGame
https://github.com/meganz/MEGAsync
https://github.com/OGRECave/ogre
https://github.com/OGRECave/ogre-next
https://github.com/Open-Cascade-SAS/OCCT
https://github.com/arrayfire/forge
https://git.sr.ht/~exec64/imv
https://github.com/arrayfire/arrayfire

Free Image v3.18.0

[CVE-2021-33367] (https://nvd.nist.gov/vuln/detail/CVE-2021-33367)
Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.
[CVE-2023-47992] (https://nvd.nist.gov/vuln/detail/CVE-2023-47992)
An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows attackers to obtain sensitive information, cause a denial-of-service attacks and/or run arbitrary code.
[CVE-2023-47993] (https://nvd.nist.gov/vuln/detail/CVE-2023-47993)
A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in FreeImage 3.18.0 allows attackers to cause a denial-of-service.
[CVE-2023-47994] (https://nvd.nist.gov/vuln/detail/CVE-2023-47994)
An integer overflow vulnerability in LoadPixelDataRLE4 function in PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain sensitive information, cause a denial of service and/or run arbitrary code.
[CVE-2023-47995] (https://nvd.nist.gov/vuln/detail/CVE-2023-47995)
Memory Allocation with Excessive Size Value discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0 allows attackers to cause a denial of service.
[CVE-2023-47996] (https://nvd.nist.gov/vuln/detail/CVE-2023-47996)
An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in FreeImage 3.18.0 allows attackers to obtain information and cause a denial of service.

Free Image before v1.18.0

[CVE-2021-40262] (https://nvd.nist.gov/vuln/detail/CVE-2021-40262)
A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.
[CVE-2021-40263] (https://nvd.nist.gov/vuln/detail/CVE-2021-40263)
A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad function in PluginTIFF.cpp.
[CVE-2021-40264] (https://nvd.nist.gov/vuln/detail/CVE-2021-40264)
NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.
[CVE-2021-40265] (https://nvd.nist.gov/vuln/detail/CVE-2021-40265)
A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function in PluginJPEG.cpp.
[CVE-2021-40266] (https://nvd.nist.gov/vuln/detail/CVE-2021-40266)
FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

Kristian Duske · Answer 1 · Mon Apr 01 2024 15:16:11 GMT+0800 (China Standard Time)

On Mac and Windows, we build freeimage and link it via vcpkg, and it hasn‘t been fixed there. I will update the library when they have updated or patched it. If you feel that this is very urgent, you might be able to find patches on freeimage‘s forum and integrate them into vcpkg.

On Linux, we use the library of the host system, so we can‘t do anything about it.

xaGe · Answer 2 · Tue Apr 02 2024 00:04:11 GMT+0800 (China Standard Time)

I am sure most of the rolling distributions like Arch will patch this themselves or use public patches. Eventually the other's would back port fixes as well. They will need to.

On Linux, we use the library of the host system, so we can‘t do anything about it.

MissLavender · Answer 3 · Tue Apr 02 2024 03:41:40 GMT+0800 (China Standard Time)

the issue is freeimage doesnt seem to be geting updated any more

xaGe · Answer 4 · Tue Apr 02 2024 03:59:22 GMT+0800 (China Standard Time)

the issue is freeimage doesnt seem to be geting updated any more

Can you please point to a post that details this on their website, https://sourceforge.net/projects/freeimage/ ? I can't seem to find it. Their last update was last year, The last freeimage update was 2023-05-20, which isn't out of the ordinary.

MissLavender · Answer 5 · Wed Apr 03 2024 18:36:48 GMT+0800 (China Standard Time)

nothing dirrect but i was assuming that since they havnt mentioned the vulnerability on their site any where

in another git issue i made someone mentioned that there is now a fork/continuation of free image ill link that here in a sec

MissLavender · Answer 6 · Wed Apr 03 2024 18:40:37 GMT+0800 (China Standard Time)

OGRECave/ogre#3069 (comment)

https://github.com/agruzdev/FreeImageRe

MissLavender · Answer 7 · Wed Apr 03 2024 18:42:43 GMT+0800 (China Standard Time)

so this likely means i should make issues on distros about replacing freeimage FreeimageRe

might be some time before i do that since i havnt been feeling well

xaGe · Answer 8 · Wed Apr 03 2024 18:48:38 GMT+0800 (China Standard Time)

Yup, upstream issues to the distributions themselves would be best. I would not worry about it too much just yet. Many distros use it, they will need to fix it, whether through another fork or what have you.

Felix Wang · Answer 9 · Thu Apr 11 2024 17:52:08 GMT+0800 (China Standard Time)

https://github.com/danoli3/FreeImage is also a fork repo.

Btw, not long ago, I received an email about the plan of orphaning freeimage package on Fedora from its package maintainer:

I intend to orphan freeimage. Probably, the package should rather just
be retired. Upstream is effectively dead, and there is a constant stream
of CVEs getting filed against the package which are not addressed
upstream. Over the past two years I've fixed many of those CVEs
downstream, but the most recent batch of 15 CVEs is leading me to
capitulate. Currently, the following packages require freeimage:

PerceptualDiff
allegro5
cegui06
deepin-image-viewer
gazebo
imv
ogre
photoqt

A minimal impact check:

PerceptualDiff: freeimage is a hard dependency. PerceptualDiff itself
has seen its last commit 4 years ago, last release 8 years ago
allegro5: freeimage is an optional dependency
cegui06: freeimage is an optional dependency
deepin-image-viewer: freeimage is a hard dependency
gazebo: freeimage is a hard dependency. (The fedora package is for
"gazebo-classic" https://github.com/gazebosim/gazebo-classic, which
points to https://github.com/gazebosim/gz-sim as the "latest version",
which does not appear to require freeimage)
imv: freeimage is an optional dependency
ogre: freeimage is an optional dependency
photoqt: freeimage is an optional dependency