Cisco TALOS has issued an advisory on October 3: http://www.talosintelligence.com/reports/TALOS-2016-0189/ Debian-LTS has issued an advisory for this today (October 6): http://lwn.net/Alerts/702772/ They identified two commits to fix the issue, linked from here: https://security-tracker.debian.org/tracker/CVE-2016-5684 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian seems to have another patch too for: CVE-2015-3885: integer overflow in the ljpeg_start function http://metadata.ftp-master.debian.org/changelogs/main/f/freeimage/freeimage_3.15.4-4.2+deb8u1_changelog
Summary: freeimage new security issue CVE-2016-5684 => freeimage new security issues CVE-2015-3885 CVE-2016-5684
The Debian patches for the two CVEs have been added to the Mageia 5 and Cauldron versions. Suggested advisory: =================== Updated freeimage packages fix security vulnerabilities Multiple vulnerabilities were discovered in the FreeImage multimedia library, which might result in denial of service or the execution of arbitrary code if a malformed XMP or RAW image is processed. (CVE-2015-3885, CVE-2016-5684) References: - http://www.talosintelligence.com/reports/TALOS-2016-0189/ - http://lwn.net/Articles/703585/ (@ Luigi: Might want to complete the references, not sure which ones should be given) RPMs in core/updates_testing: ============================= lib(64)freeimage3-3.154-1.2 lib(64)freeimage-devel-3.154-1.2 SRPM in ore/updates_testing: ============================ freeimage-3.154-1.2
CC: (none) => rverscheldeVersion: Cauldron => 5Assignee: rverschelde => qa-bugsWhiteboard: MGA5TOO => (none)
Suggested advisory: =================== Updated freeimage packages fix security vulnerabilities Multiple vulnerabilities were discovered in the FreeImage multimedia library, which might result in denial of service or the execution of arbitrary code if a malformed XMP or RAW image is processed (CVE-2015-3885, CVE-2016-5684). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5684 http://www.talosintelligence.com/reports/TALOS-2016-0189/ https://www.debian.org/security/2016/dsa-3692
MGA5-32 on Acer D620 Xfce No installation issues Trying to find the simpliest testcase, I went for running sumwars with at C$ strace -o sumwars.txt sumwars > sumwarscli.txt trace shows: open("/lib/libfreeimage.so.3", O_RDONLY|O_CLOEXEC) = 3 but at creating a character to play with, the game crashed with loads of feedback at the CLI. Last lines: WARNING: head_mt1.mesh is an older format ([MeshSerializer_v1.41]); you should upgrade it as soon as possible using the OgreMeshUpgrade tool. WARNING: bow.mesh is an older format ([MeshSerializer_v1.41]); you should upgrade it as soon as possible using the OgreMeshUpgrade tool. WARNING: hairShort_mt5.mesh is an older format ([MeshSerializer_v1.41]); you should upgrade it as soon as possible using the OgreMeshUpgrade tool. terminate called after throwing an instance of 'CEGUIUtilityNoWidgetException' what(): std::exception Afgebroken (cancelled for non-Dutch speakers) Adding sumwarscli.txt as attachment I leave it to the wizards to decide whether or not this crash has to do with the libfreeimage.
CC: (none) => herman.viaene
Created attachment 8615 [details] sumwars run
x86_64 real hardware $ urpmq --whatrequires lib64freeimage3 lib64cegui0.7.9 lib64cegui0_2 lib64freeimage-devel lib64freeimage3 lib64harbour-freeimage3 lib64ogre1.9.0 $ urpmq --whatrequires-recursive lib64freeimage3 returns a long list of libraries and applications. stuntrally seemed to work OK but I managed to crash the car during the tutorial and tried to abandon the game. No emergency exit provided and since the mouse was captured it was necessary to login from another machine to kill the process. Could not trace any PoC for this bug. Installed the updates. Tried out mygui-3.2.1-4.mga5.x86_64 $ sudo urpmi mygui-demos $ cd /usr/share/doc/mygui-demos $ cat README This package contains MyGUI demos; to run the demos, launch the helper script /usr/bin/MyGUI-Demos $ MyGUI-Demos Usage: MyGUI-Demos (sample) Available samples: Demo_Colour Demo_Console Demo_Controllers Demo_Gui Demo_ItemBox Demo_PanelView Demo_Picking Demo_Pointers Demo_RenderBox Demo_ScrollView Demo_Themes $ MyGUI-Demos Demo_Console Running Demo_Console... That produced an Ogre widget with buttons for 'select renderer' and 'select one'. select renderer did not respond and select one crashed out with Error: Shell widget menu has zero width and/or height. All the demos showed the same window so there may be something missing from my setup. The cancel button works fine and in any case this package is about images so together with the games this shows that image rendering is fine. Tried stuntrally at fullscreen without capturing the mouse. After multiple car crashes decided to hit Esc and use the mouse to exit the game. As far as I could tell it was working. Also tried sumwars aka Summoning Wars, created a character and tried to figure out how to play it and gave up. The rendering was fine though. These three should be enough to confirm that the libraries can be relied on.
CC: (none) => tarazed25Whiteboard: (none) => MGA5-64-OK
@herman viz comment #4 I have no knowledge of games software but looking at your attachment I would guess that the problem occurs before freeimage is applied. The meshes which represent objects in the game sound like bases for generating wireframe vertices which can then be filled in by the image library functions. That is a total guess though. If it is near correct then the problem would lie in the sumwars resources, not freeimage (there is talk of formats and serializing). If images in general render fine then you could OK the update. But seeing as I am guessing, we do need a guru to examine this. I wonder if Rémi would know; he is a games aficionado.
Apropos of comment #7. The actual job of texturing the wireframe is a job for the GPU I would think and GLX would handle that, maybe via freeimage, who knows.
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Checking this in i586 vbox.
Testing on this virtual machine was a bit slow because of frequent system freezes. Don't know what is causing them. Maybe the latest kernel. Installed the library updates and the games StuntRally and Summoning Wars. Ran mygui-demos with a selection of demos, all of which looked and behaved the same. Possibly a work in progress. The images were fine. StuntRally and sumwars overloaded the one cpu. Loading elements of the game took a long time but all the images were rendered properly. Virtually impossible to actually play the games, probably because the machine resources were overloaded. Very little response from the keyboard or mouse. Usually had to kill the machine from the vbox menu. However, since this is a test of freeimage library support I would say that the package is OK.
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OK
Thanks to Herman & Len for the difficult tests. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0373.html
Status: NEW => RESOLVEDResolution: (none) => FIXED