Fedora has issued advisories on November 26 and 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56P2TDRB2FEJEWDRIAOPGEDF7L2VNA7B/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PUWVVP67FYM4GMWD7TPQ7C7JPPRUZHYE/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load function of the PluginTIFF.cpp file, but a memcpy occurs in which the destination address and the size of the copied data are not considered, resulting in a heap overflow. (CVE-2019-12211) When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory function in PluginTIFF.cpp always returns 1, leading to stack exhaustion. (CVE-2019-12213) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56P2TDRB2FEJEWDRIAOPGEDF7L2VNA7B/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PUWVVP67FYM4GMWD7TPQ7C7JPPRUZHYE/ ======================== Updated packages in core/updates_testing: ======================== lib(64)freeimage3-3.18.0-2.mga7 lib(64)freeimage-devel-3.18.0-2.mga7 from SRPMS: freeimage-3.18.0-2.mga7.src.rpm
Whiteboard: MGA7TOO => (none)Status: NEW => ASSIGNEDVersion: Cauldron => 7CVE: (none) => CVE-2019-12211, 2019-12213Assignee: pkg-bugs => qa-bugsCC: (none) => nicolas.salguero
Not sure how to test this one. There are indications that freeimage might be used by the backend rendering engine framework ogre but installing and using that is a subject in itself. Regarding CVE-2019-12211, there is some discussion upstream on test cases for heap-buffer and stack overflow issues. Shall chase those later. After that it will probably be a case of a clean upgrade, or not.
CC: (none) => tarazed25
Mageia7, x86_64 Installed the freeimage libraries and the game stuntrally. Started stuntrally under strace, perused the help screens then started a game which segfaulted immediately. The trace shows that lib64freeimage3 is opened. Downloaded the three files intended for use as PoC but there is no procedure. The reader is probably expected to write code which uses particular functions of the library to demonstrate the overflow issues. Updated the libraries without issues. Started stuntrally from the system menus, selected a game and go. Immediate crash. Tried again under strace and the whole thing crashed without even showing the interface. The trace finishes with this, right after "Sound init ok": clone(child_stack=0x7fdcafbfceb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[6679], tls=0x7fdcafbfd700, child_tidptr=0x7fdcafbfd9d0) = 6679 clock_gettime(CLOCK_PROCESS_CPUTIME_ID, <unfinished ...>) = ? +++ killed by SIGSEGV (core dumped) +++ /lib64/libfreeimage.so.3 appears to have been opened successfully. Don't know how to interpret this. Do we just go with a clean update and ignore whatever bugs this exposes in the game?
Installed another game, opendungeons and stumbled about in that. libfreeimage-3.18.0.so was accessed during the game. No obvious problems and managed to exit cleanly. Giving this an OK.
Whiteboard: (none) => MGA7-64-OK
Reads to me like stunt rally needs its own bug. We need a gamer to pursue that one. Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0019.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED