Bug 25967

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load function of the PluginTIFF.cpp file, but a memcpy occurs in which the destination address and the size of the copied data are not considered, resulting in a heap overflow. (CVE-2019-12211)

When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory function in PluginTIFF.cpp always returns 1, leading to stack exhaustion. (CVE-2019-12213)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56P2TDRB2FEJEWDRIAOPGEDF7L2VNA7B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PUWVVP67FYM4GMWD7TPQ7C7JPPRUZHYE/
========================

Updated packages in core/updates_testing:
========================
lib(64)freeimage3-3.18.0-2.mga7
lib(64)freeimage-devel-3.18.0-2.mga7

from SRPMS:
freeimage-3.18.0-2.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 7
CVE: (none) => CVE-2019-12211, 2019-12213
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Not sure how to test this one.  There are indications that freeimage might be used by the backend rendering engine framework ogre but installing and using that is a subject in itself.

Regarding CVE-2019-12211, there is some discussion upstream on test cases for heap-buffer and stack overflow issues.  Shall chase those later.  After that it will probably be a case of a clean upgrade, or not.

CC: (none) => tarazed25

Mageia7, x86_64

Installed the freeimage libraries and the game stuntrally.  Started stuntrally under strace, perused the help screens then started a game which segfaulted immediately.  The trace shows that lib64freeimage3 is opened.

Downloaded the three files intended for use as PoC but there is no procedure.  The reader is probably expected to write code which uses particular functions of the library to demonstrate the overflow issues.

Updated the libraries without issues.

Started stuntrally from the system menus, selected a game and go.  Immediate crash.
Tried again under strace and the whole thing crashed without even showing the interface.  The trace finishes with this, right after "Sound init ok":
clone(child_stack=0x7fdcafbfceb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[6679], tls=0x7fdcafbfd700, child_tidptr=0x7fdcafbfd9d0) = 6679
clock_gettime(CLOCK_PROCESS_CPUTIME_ID,  <unfinished ...>) = ?
+++ killed by SIGSEGV (core dumped) +++

/lib64/libfreeimage.so.3 appears to have been opened successfully.

Don't know how to interpret this.  Do we just go with a clean update and ignore whatever bugs this exposes in the game?

Installed another game, opendungeons and stumbled about in that.  libfreeimage-3.18.0.so was accessed during the game.  No obvious problems and managed to exit cleanly.
Giving this an OK.

Whiteboard: (none) => MGA7-64-OK

Reads to me like stunt rally needs its own bug. We need a gamer to pursue that one.

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0019.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED