Bug 25967 - freeimage new security issues CVE-2019-12211 and 2019-12213
Summary: freeimage new security issues CVE-2019-12211 and 2019-12213
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-27 03:44 CET by David Walser
Modified: 2020-01-05 16:40 CET (History)
5 users (show)

See Also:
Source RPM: freeimage-3.18.0-1.mga7.src.rpm
CVE: CVE-2019-12211, 2019-12213
Status comment:


Attachments

David Walser 2019-12-27 03:44:48 CET

Whiteboard: (none) => MGA7TOO

Lewis Smith 2019-12-27 10:34:52 CET

Assignee: bugsquad => pkg-bugs

Comment 1 Nicolas Salguero 2019-12-27 12:18:59 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load function of the PluginTIFF.cpp file, but a memcpy occurs in which the destination address and the size of the copied data are not considered, resulting in a heap overflow. (CVE-2019-12211)

When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory function in PluginTIFF.cpp always returns 1, leading to stack exhaustion. (CVE-2019-12213)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12211
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12213
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56P2TDRB2FEJEWDRIAOPGEDF7L2VNA7B/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PUWVVP67FYM4GMWD7TPQ7C7JPPRUZHYE/
========================

Updated packages in core/updates_testing:
========================
lib(64)freeimage3-3.18.0-2.mga7
lib(64)freeimage-devel-3.18.0-2.mga7

from SRPMS:
freeimage-3.18.0-2.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 7
CVE: (none) => CVE-2019-12211, 2019-12213
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 2 Len Lawrence 2020-01-01 12:50:49 CET
Not sure how to test this one.  There are indications that freeimage might be used by the backend rendering engine framework ogre but installing and using that is a subject in itself.

Regarding CVE-2019-12211, there is some discussion upstream on test cases for heap-buffer and stack overflow issues.  Shall chase those later.  After that it will probably be a case of a clean upgrade, or not.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-01-01 20:11:11 CET
Mageia7, x86_64

Installed the freeimage libraries and the game stuntrally.  Started stuntrally under strace, perused the help screens then started a game which segfaulted immediately.  The trace shows that lib64freeimage3 is opened.

Downloaded the three files intended for use as PoC but there is no procedure.  The reader is probably expected to write code which uses particular functions of the library to demonstrate the overflow issues.

Updated the libraries without issues.

Started stuntrally from the system menus, selected a game and go.  Immediate crash.
Tried again under strace and the whole thing crashed without even showing the interface.  The trace finishes with this, right after "Sound init ok":
clone(child_stack=0x7fdcafbfceb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[6679], tls=0x7fdcafbfd700, child_tidptr=0x7fdcafbfd9d0) = 6679
clock_gettime(CLOCK_PROCESS_CPUTIME_ID,  <unfinished ...>) = ?
+++ killed by SIGSEGV (core dumped) +++

/lib64/libfreeimage.so.3 appears to have been opened successfully.

Don't know how to interpret this.  Do we just go with a clean update and ignore whatever bugs this exposes in the game?
Comment 4 Len Lawrence 2020-01-01 20:27:46 CET
Installed another game, opendungeons and stumbled about in that.  libfreeimage-3.18.0.so was accessed during the game.  No obvious problems and managed to exit cleanly.
Giving this an OK.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-01-03 19:28:41 CET
Reads to me like stunt rally needs its own bug. We need a gamer to pursue that one.

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-05 13:44:30 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-01-05 16:40:13 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0019.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.