forge icon indicating copy to clipboard operation
forge copied to clipboard
verified publisher icon arrayfire

[Urgent security issue] FreeImage arbitrary code execution vulnerability

Open lavenderdotpet opened this issue 1 year ago • 1 comments

main 2 I think is the most important to point out

  • [CVE-2023-47994]
  • [CVE-2023-47992]

both of these can run arbitrary code one of them being from the BMP plugin so I am assuming a person could get a user to load a malicious BMP or a file with a malicious bpm inside of it

Free Image should either be forked and fixed asap or abandoned for a different library

active project i could find that use freeimage https://github.com/sirjuddington/SLADE https://github.com/TrenchBroom/TrenchBroom https://github.com/RetroPie/EmulationStation https://github.com/MonoGame/MonoGame https://github.com/meganz/MEGAsync https://github.com/OGRECave/ogre https://github.com/OGRECave/ogre-next https://github.com/Open-Cascade-SAS/OCCT https://github.com/arrayfire/forge https://git.sr.ht/~exec64/imv https://github.com/arrayfire/arrayfire

Free Image v3.18.0

  • [CVE-2021-33367] (https://nvd.nist.gov/vuln/detail/CVE-2021-33367) Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.

  • [CVE-2023-47992] (https://nvd.nist.gov/vuln/detail/CVE-2023-47992) An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows attackers to obtain sensitive information, cause a denial-of-service attacks and/or run arbitrary code.

  • [CVE-2023-47993] (https://nvd.nist.gov/vuln/detail/CVE-2023-47993) A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in FreeImage 3.18.0 allows attackers to cause a denial-of-service.

  • [CVE-2023-47994] (https://nvd.nist.gov/vuln/detail/CVE-2023-47994) An integer overflow vulnerability in LoadPixelDataRLE4 function in PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain sensitive information, cause a denial of service and/or run arbitrary code.

  • [CVE-2023-47995] (https://nvd.nist.gov/vuln/detail/CVE-2023-47995) Memory Allocation with Excessive Size Value discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0 allows attackers to cause a denial of service.

  • [CVE-2023-47996] (https://nvd.nist.gov/vuln/detail/CVE-2023-47996) An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in FreeImage 3.18.0 allows attackers to obtain information and cause a denial of service.

Free Image before v1.18.0

  • [CVE-2021-40262] (https://nvd.nist.gov/vuln/detail/CVE-2021-40262) A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.

  • [CVE-2021-40263] (https://nvd.nist.gov/vuln/detail/CVE-2021-40263) A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad function in PluginTIFF.cpp.

  • [CVE-2021-40264] (https://nvd.nist.gov/vuln/detail/CVE-2021-40264) NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

  • [CVE-2021-40265] (https://nvd.nist.gov/vuln/detail/CVE-2021-40265) A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function in PluginJPEG.cpp.

  • [CVE-2021-40266] (https://nvd.nist.gov/vuln/detail/CVE-2021-40266) FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

lavenderdotpet avatar Mar 31 '24 23:03 lavenderdotpet

Do you have any recommendations for freeimage replacement ? Is this vulnerability only in the latest 3.18 version ? Are previous versions free of this problem ?

9prady9 avatar Jun 20 '24 06:06 9prady9