Bug 16662 - freeimage new security issue CVE-2015-0852
Summary: freeimage new security issue CVE-2015-0852
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/656894/
Whiteboard: MGA4TOO has_procedure advisory MGA4-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-08-28 19:26 CEST by David Walser
Modified: 2015-09-08 21:40 CEST (History)
5 users (show)

See Also:
Source RPM: freeimage-3.153-5.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-08-28 19:26:09 CEST
A security issue in freeimage has been announced:
http://openwall.com/lists/oss-security/2015/08/28/1

The upstream commit to fix the issue is linked in the message above.

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-28 19:26:16 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-09-02 22:16:35 CEST
I've committed the upstream patch for this issue, but it looks like this package is building with a bunch of bundled libraries, like png, jpeg, tiff, and openjpeg, which would mean it would have several other security issues too.

This library is used by harbour, cegui, and ogre.  CC'ing their maintainers.  Can someone please look at building this with system libs?

CC: (none) => juan.baptiste, lists.jjorge, zen25000

Comment 2 Rémi Verschelde 2015-09-02 23:00:36 CEST
As I'm de-facto maintaining cegui and ogre, I'll have a look.
Rémi Verschelde 2015-09-02 23:01:36 CEST

Assignee: fundawang => rverschelde

Comment 3 Rémi Verschelde 2015-09-02 23:12:51 CEST
Wow indeed, there was a big patch to build against system libs and it was simply enclosed in "%if 0", supposedly to avoid having to rediff it. I'll work on unbundling all this stuff.
Comment 4 Rémi Verschelde 2015-09-03 11:13:36 CEST
Fedora is not a great resource for this as they are still on version 3.10.0, but Debian has some interesting patches. They seemed to have forgotten trying to remove the source code of the bundled libs in Source/Lib*, so even though they link against system libraries, they still build against a couple headers from the bundled libtiff4 and libjpeg.

I'm working on improving their patch to fully unbundle libtiff4 and libjpeg, though yesterday I had issues due to some headers our jpeg-devel does not seem to provide. I'll try to look into this further this evening.
Comment 5 Barry Jackson 2015-09-03 13:08:12 CEST
(In reply to David Walser from comment #1)

> This library is used by harbour, cegui, and ogre.  CC'ing their maintainers.
> Can someone please look at building this with system libs?

I will look at harbour but not much time right now :\
Comment 6 Rémi Verschelde 2015-09-03 13:11:03 CEST
(In reply to Barry Jackson from comment #5)
> (In reply to David Walser from comment #1)
> 
> > This library is used by harbour, cegui, and ogre.  CC'ing their maintainers.
> > Can someone please look at building this with system libs?
> 
> I will look at harbour but not much time right now :\

It's only freeimage which needs fixed, you won't need to modify harbour normally. However the unbundling needs some important patching, so if you can test that there are no regressions in harbour once I've provided an updated freeimage, it would be great.
Comment 7 Rémi Verschelde 2015-09-03 13:12:31 CEST
Unless there is a strong objection from the QA team, I plan to update freeimage to version 3.15.4 (instead of 3.15.3 that we have now, don't mind the bogus RPM version) so that I can reuse the Debian patching with rediffing everything.

I haven't checked yet but I expect 3.15.4 to be a bugfix version anyway.
Comment 8 David Walser 2015-09-03 14:58:41 CEST
I was actually already thinking that if you're doing all the work to rediff it, it'd make sense to just update it to the latest version and do it once, so yeah, go ahead.
Comment 9 Rémi Verschelde 2015-09-03 15:10:51 CEST
(In reply to David Walser from comment #8)
> I was actually already thinking that if you're doing all the work to rediff
> it, it'd make sense to just update it to the latest version and do it once,
> so yeah, go ahead.

The latest upstream version is 3.17.0, so I won't provide this one for Mageia 4 and 5, but I'll work on it later on in cauldron. Debian is also on 3.15.4 anyway, so it's easier for me to stay with this branch.
Comment 10 David Walser 2015-09-03 15:12:36 CEST
Ahh.  OK, that works.  THanks.
Comment 11 Rémi Verschelde 2015-09-04 18:45:16 CEST
Fixed in Cauldron, and update candidates pushed for Mageia 4 and Mageia 5.

I could unbundle all libs apart from libtiff4, because some parts of FreeImage rely on private functions of libtiff4, and unbundling it probably means losing or severing TIFF support (and maybe more issues if some other formats depend on libtiff4).


RPMs in core/updates_testing:
=============================
lib(64)freeimage3-3.154-1.mga4
lib(64)freeimage-devel-3.154-1.mga4

lib(64)freeimage3-3.154-1.mga5
lib(64)freeimage-devel-3.154-1.mga5


SRPMs:
======
freeimage-3.154-1.mga4
freeimage-3.154-1.mga5

Version: Cauldron => 5
Assignee: rverschelde => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 12 David Walser 2015-09-04 19:21:50 CEST
Thanks Rémi!  If libtiff can't be unbundled, can it at least be updated to 4.0.4?

CC: (none) => rverschelde

Comment 13 David Walser 2015-09-04 19:26:00 CEST
Advisory:
========================

Updated freeimage packages fix security vulnerability:

FreeImage is vulnerable to an integer overflow in PluginPCX.cpp, making the
PCX loader vulnerable to malicious images with a bad window specification
(CVE-2015-0852).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852
http://openwall.com/lists/oss-security/2015/08/28/1
Comment 14 Rémi Verschelde 2015-09-04 20:34:08 CEST
I managed to build with a bundled libtiff 4.0.4, but it does not work with 4.0.5, I'll have to dig in to see why.
Comment 15 Rémi Verschelde 2015-09-04 22:31:52 CEST
Pushed a new version with an updated bundled libtiff to version 4.0.4 which fixes a good number of security issues (I can't tell to which extent they were affecting freeimage or not, but at least they're gone ;)).


Advisory:
=========

Updated freeimage packages fix security vulnerability:

  FreeImage is vulnerable to an integer overflow in PluginPCX.cpp, making the
  PCX loader vulnerable to malicious images with a bad window specification
  (CVE-2015-0852).

  Moreover, FreeImage was built in Mageia against a number of bundled libraries
  with potential security vulnerabilities. Most of those dependencies were
  unbundled to use the up-to-date system libraries, while the bundled libtiff
  was updated to a more recent version.

References:
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852
 - http://openwall.com/lists/oss-security/2015/08/28/1


RPMs in core/updates_testing:
=============================
lib(64)freeimage3-3.154-1.1.mga4
lib(64)freeimage-devel-3.154-1.1.mga4

lib(64)freeimage3-3.154-1.1.mga5
lib(64)freeimage-devel-3.154-1.1.mga5


SRPMs:
======
freeimage-3.154-1.1.mga4
freeimage-3.154-1.1.mga5
Comment 16 Rémi Verschelde 2015-09-04 22:39:06 CEST
As for a testing procedure, I'd make sure that harbour, ogre and cegui are still working as they should.

Some applications uses ogre:
- opendungeons (also uses cegui)
- stuntrally
- sumwars (also uses cegui)
- freeorion
Comment 17 Rémi Verschelde 2015-09-05 15:13:19 CEST
Note that it's normal if you get many additional dependencies installed with this update candidate, as all the unbundled libraries now need to be installed on the system too.
Comment 18 Rémi Verschelde 2015-09-07 07:32:35 CEST
I've used the update candidate on my main Mageia5-64 system and to compile opendungeons in a Mageia4-64 chroot, and had no particular issue. I've also briefly tested the above-mentioned games for obvious regressions.

Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK MGA5-64-OK

Comment 19 claire robinson 2015-09-07 16:54:41 CEST
Validating. Advisory uploaded.

Please push to 4&5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-64-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-64-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 20 Mageia Robot 2015-09-08 09:21:47 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0339.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-08 21:40:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/656894/


Note You need to log in before you can comment on or make changes to this bug.