Bug 19547 - freeimage new security issues CVE-2015-3885 CVE-2016-5684
Summary: freeimage new security issues CVE-2015-3885 CVE-2016-5684
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/702786/
Whiteboard: MGA5-64-OK advisory MGA5-32-OK
Keywords: validated_update
Depends on:
Reported: 2016-10-06 20:05 CEST by David Walser
Modified: 2016-11-10 23:24 CET (History)
5 users (show)

See Also:
Source RPM: freeimage-3.154-1.1.mga5.src.rpm
Status comment:

sumwars run (109.03 KB, text/plain)
2016-11-02 16:39 CET, Herman Viaene

Description David Walser 2016-10-06 20:05:19 CEST
Cisco TALOS has issued an advisory on October 3:

Debian-LTS has issued an advisory for this today (October 6):

They identified two commits to fix the issue, linked from here:

Mageia 5 is also affected.
David Walser 2016-10-06 20:05:46 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Rémi Verschelde 2016-10-31 20:48:58 CET
Debian seems to have another patch too for:
CVE-2015-3885: integer overflow in the ljpeg_start function


Summary: freeimage new security issue CVE-2016-5684 => freeimage new security issues CVE-2015-3885 CVE-2016-5684

Comment 2 Rémi Verschelde 2016-10-31 21:03:48 CET
The Debian patches for the two CVEs have been added to the Mageia 5 and Cauldron versions.

Suggested advisory:

Updated freeimage packages fix security vulnerabilities

  Multiple vulnerabilities were discovered in the FreeImage multimedia
  library, which might result in denial of service or the execution of
  arbitrary code if a malformed XMP or RAW image is processed.
  (CVE-2015-3885, CVE-2016-5684)

 - http://www.talosintelligence.com/reports/TALOS-2016-0189/
 - http://lwn.net/Articles/703585/

(@ Luigi: Might want to complete the references, not sure which ones should be given)

RPMs in core/updates_testing:


SRPM in ore/updates_testing:


CC: (none) => rverschelde
Version: Cauldron => 5
Assignee: rverschelde => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 3 David Walser 2016-10-31 21:15:59 CET
Suggested advisory:

Updated freeimage packages fix security vulnerabilities

Multiple vulnerabilities were discovered in the FreeImage multimedia library,
which might result in denial of service or the execution of arbitrary code if a
malformed XMP or RAW image is processed (CVE-2015-3885, CVE-2016-5684).

Comment 4 Herman Viaene 2016-11-02 16:38:13 CET
MGA5-32 on Acer D620 Xfce
No installation issues
Trying to find the simpliest testcase, I went for running sumwars
with at C$ strace -o sumwars.txt sumwars > sumwarscli.txt

trace shows:
open("/lib/libfreeimage.so.3", O_RDONLY|O_CLOEXEC) = 3
but at creating a character to play with, the game crashed with loads of feedback at the CLI. Last lines:
WARNING: head_mt1.mesh is an older format ([MeshSerializer_v1.41]); you should upgrade it as soon as possible using the OgreMeshUpgrade tool.
WARNING: bow.mesh is an older format ([MeshSerializer_v1.41]); you should upgrade it as soon as possible using the OgreMeshUpgrade tool.
WARNING: hairShort_mt5.mesh is an older format ([MeshSerializer_v1.41]); you should upgrade it as soon as possible using the OgreMeshUpgrade tool.
terminate called after throwing an instance of 'CEGUIUtilityNoWidgetException'
  what():  std::exception
Afgebroken (cancelled for non-Dutch speakers)
Adding sumwarscli.txt as attachment
I leave it to the wizards to decide whether or not this crash has to do with the libfreeimage.

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2016-11-02 16:39:15 CET
Created attachment 8615 [details]
sumwars run
Comment 6 Len Lawrence 2016-11-03 23:25:29 CET
x86_64 real hardware

$ urpmq --whatrequires lib64freeimage3
$ urpmq --whatrequires-recursive lib64freeimage3
returns a long list of libraries and applications.

stuntrally seemed to work OK but I managed to crash the car during the tutorial and tried to abandon the game.  No emergency exit provided and since the mouse was captured it was necessary to login from another machine to kill the process.

Could not trace any PoC for this bug.
Installed the updates.

Tried out mygui-3.2.1-4.mga5.x86_64
$ sudo urpmi mygui-demos
$ cd /usr/share/doc/mygui-demos
$ cat README
This package contains MyGUI demos; to run the demos, launch the
helper script /usr/bin/MyGUI-Demos
$ MyGUI-Demos
Usage: MyGUI-Demos (sample)
Available samples: Demo_Colour Demo_Console Demo_Controllers Demo_Gui Demo_ItemBox Demo_PanelView Demo_Picking Demo_Pointers Demo_RenderBox Demo_ScrollView Demo_Themes
$ MyGUI-Demos Demo_Console
Running Demo_Console...
That produced an Ogre widget with buttons for 'select renderer' and 'select one'.  select renderer did not respond and select one crashed out with 
Error: Shell widget menu has zero width and/or height.
All the demos showed the same window so there may be something missing from my setup.  The cancel button works fine and in any case this package is about images so together with the games this shows that image rendering is fine.

Tried stuntrally at fullscreen without capturing the mouse.  After multiple car crashes decided to hit Esc and use the mouse to exit the game.  As far as I could tell it was working.

Also tried sumwars aka Summoning Wars, created a character and tried to figure out how to play it and gave up.  The rendering was fine though.

These three should be enough to confirm that the libraries can be relied on.

CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK

Comment 7 Len Lawrence 2016-11-04 00:00:10 CET
@herman viz comment #4

I have no knowledge of games software but looking at your attachment I would guess that the problem occurs before freeimage is applied.  The meshes which represent objects in the game sound like bases for generating wireframe vertices which can then be filled in by the image library functions.  That is a total guess though.  If it is near correct then the problem would lie in the sumwars resources, not freeimage (there is talk of formats and serializing).  If images in general render fine then you could OK the update.  But seeing as I am guessing, we do need a guru to examine this.

I wonder if Rémi would know; he is a games aficionado.
Comment 8 Len Lawrence 2016-11-04 00:23:24 CET
Apropos of comment #7.  The actual job of texturing the wireframe is a job for the GPU I would think and GLX would handle that, maybe via freeimage, who knows.
Comment 9 Lewis Smith 2016-11-05 19:11:33 CET
Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 10 Len Lawrence 2016-11-10 18:36:44 CET
Checking this in i586 vbox.
Comment 11 Len Lawrence 2016-11-10 20:14:46 CET
Testing on this virtual machine was a bit slow because of frequent system freezes.  Don't know what is causing them.  Maybe the latest kernel.  

Installed the library updates and the games StuntRally and Summoning Wars.  Ran mygui-demos with a selection of demos, all of which looked and behaved the same.  Possibly a work in progress.  The images were fine.

StuntRally and sumwars overloaded the one cpu.  Loading elements of the game took a long time but all the images were rendered properly.  Virtually impossible to actually play the games, probably because the machine resources were overloaded.  Very little response from the keyboard or mouse.  Usually had to kill the machine from the vbox menu.

However, since this is a test of freeimage library support I would say that the package is OK.
Len Lawrence 2016-11-10 20:15:32 CET

Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK

Comment 12 Lewis Smith 2016-11-10 20:39:15 CET
Thanks to Herman & Len for the difficult tests. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2016-11-10 23:24:12 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.