A security issue in freeimage has been announced: http://openwall.com/lists/oss-security/2015/08/28/1 The upstream commit to fix the issue is linked in the message above. Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
I've committed the upstream patch for this issue, but it looks like this package is building with a bunch of bundled libraries, like png, jpeg, tiff, and openjpeg, which would mean it would have several other security issues too. This library is used by harbour, cegui, and ogre. CC'ing their maintainers. Can someone please look at building this with system libs?
CC: (none) => juan.baptiste, lists.jjorge, zen25000
As I'm de-facto maintaining cegui and ogre, I'll have a look.
Assignee: fundawang => rverschelde
Wow indeed, there was a big patch to build against system libs and it was simply enclosed in "%if 0", supposedly to avoid having to rediff it. I'll work on unbundling all this stuff.
Fedora is not a great resource for this as they are still on version 3.10.0, but Debian has some interesting patches. They seemed to have forgotten trying to remove the source code of the bundled libs in Source/Lib*, so even though they link against system libraries, they still build against a couple headers from the bundled libtiff4 and libjpeg. I'm working on improving their patch to fully unbundle libtiff4 and libjpeg, though yesterday I had issues due to some headers our jpeg-devel does not seem to provide. I'll try to look into this further this evening.
(In reply to David Walser from comment #1) > This library is used by harbour, cegui, and ogre. CC'ing their maintainers. > Can someone please look at building this with system libs? I will look at harbour but not much time right now :\
(In reply to Barry Jackson from comment #5) > (In reply to David Walser from comment #1) > > > This library is used by harbour, cegui, and ogre. CC'ing their maintainers. > > Can someone please look at building this with system libs? > > I will look at harbour but not much time right now :\ It's only freeimage which needs fixed, you won't need to modify harbour normally. However the unbundling needs some important patching, so if you can test that there are no regressions in harbour once I've provided an updated freeimage, it would be great.
Unless there is a strong objection from the QA team, I plan to update freeimage to version 3.15.4 (instead of 3.15.3 that we have now, don't mind the bogus RPM version) so that I can reuse the Debian patching with rediffing everything. I haven't checked yet but I expect 3.15.4 to be a bugfix version anyway.
I was actually already thinking that if you're doing all the work to rediff it, it'd make sense to just update it to the latest version and do it once, so yeah, go ahead.
(In reply to David Walser from comment #8) > I was actually already thinking that if you're doing all the work to rediff > it, it'd make sense to just update it to the latest version and do it once, > so yeah, go ahead. The latest upstream version is 3.17.0, so I won't provide this one for Mageia 4 and 5, but I'll work on it later on in cauldron. Debian is also on 3.15.4 anyway, so it's easier for me to stay with this branch.
Ahh. OK, that works. THanks.
Fixed in Cauldron, and update candidates pushed for Mageia 4 and Mageia 5. I could unbundle all libs apart from libtiff4, because some parts of FreeImage rely on private functions of libtiff4, and unbundling it probably means losing or severing TIFF support (and maybe more issues if some other formats depend on libtiff4). RPMs in core/updates_testing: ============================= lib(64)freeimage3-3.154-1.mga4 lib(64)freeimage-devel-3.154-1.mga4 lib(64)freeimage3-3.154-1.mga5 lib(64)freeimage-devel-3.154-1.mga5 SRPMs: ====== freeimage-3.154-1.mga4 freeimage-3.154-1.mga5
Version: Cauldron => 5Assignee: rverschelde => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Thanks Rémi! If libtiff can't be unbundled, can it at least be updated to 4.0.4?
CC: (none) => rverschelde
Advisory: ======================== Updated freeimage packages fix security vulnerability: FreeImage is vulnerable to an integer overflow in PluginPCX.cpp, making the PCX loader vulnerable to malicious images with a bad window specification (CVE-2015-0852). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852 http://openwall.com/lists/oss-security/2015/08/28/1
I managed to build with a bundled libtiff 4.0.4, but it does not work with 4.0.5, I'll have to dig in to see why.
Pushed a new version with an updated bundled libtiff to version 4.0.4 which fixes a good number of security issues (I can't tell to which extent they were affecting freeimage or not, but at least they're gone ;)). Advisory: ========= Updated freeimage packages fix security vulnerability: FreeImage is vulnerable to an integer overflow in PluginPCX.cpp, making the PCX loader vulnerable to malicious images with a bad window specification (CVE-2015-0852). Moreover, FreeImage was built in Mageia against a number of bundled libraries with potential security vulnerabilities. Most of those dependencies were unbundled to use the up-to-date system libraries, while the bundled libtiff was updated to a more recent version. References: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0852 - http://openwall.com/lists/oss-security/2015/08/28/1 RPMs in core/updates_testing: ============================= lib(64)freeimage3-3.154-1.1.mga4 lib(64)freeimage-devel-3.154-1.1.mga4 lib(64)freeimage3-3.154-1.1.mga5 lib(64)freeimage-devel-3.154-1.1.mga5 SRPMs: ====== freeimage-3.154-1.1.mga4 freeimage-3.154-1.1.mga5
As for a testing procedure, I'd make sure that harbour, ogre and cegui are still working as they should. Some applications uses ogre: - opendungeons (also uses cegui) - stuntrally - sumwars (also uses cegui) - freeorion
Note that it's normal if you get many additional dependencies installed with this update candidate, as all the unbundled libraries now need to be installed on the system too.
I've used the update candidate on my main Mageia5-64 system and to compile opendungeons in a Mageia4-64 chroot, and had no particular issue. I've also briefly tested the above-mentioned games for obvious regressions.
Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK MGA5-64-OK
Validating. Advisory uploaded. Please push to 4&5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA4-64-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-64-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0339.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/656894/