From ${URL} : Name : FreeImage Affected Version: <= 3.17.0 URL : http://freeimage.sourceforge.net/ Description : An integer overflow issue in the FreeImage project was reported and fixed recently. Upstream fix: Revision 1.18 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=log&pathrev=MAIN Details: The PluginPCX.cpp file(version 3.17.0) has: 371 unsigned width = header.window[2] - header.window[0] + 1; 372 unsigned height = header.window[3] - header.window[1] + 1; 373 unsigned bitcount = header.bpp * header.planes; However, it's possible that header.window[2] < header.window[0], and also header.window[3] < header.window[1]. In this two cases, width and height can be overflowed. And this can lead further issue in the rest of the code. Take the following lines for example: 568 for (x = 0; x < width; x++) { 569 bits[x * 3 + FI_RGBA_RED] = pline[x]; 570 } The write operation on buffer bits can help an attacker to corrupt the heap. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 19aae64ac3dfc8945dbf9c4edccd835778f81c1d Author: David Seifert <soap@gentoo.org> Date: Sat Jan 21 21:01:22 2017 +0100 media-libs/freeimage: Add patches for CVE-2015-0852 and CVE-2016-5684 Gentoo-bug: 559006, 596350 * EAPI=6 * Make patches -p1 compliant
commit fd7524a9b5584c1fa2d8fa0ed209c217bc0dffc7 Author: David Seifert <soap@gentoo.org> Date: Sun Jan 22 16:38:32 2017 +0100 media-libs/freeimage: Remove old Gentoo-bug: 559006, 596350
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201701-68 at https://security.gentoo.org/glsa/201701-68 by GLSA coordinator Thomas Deutschmann (whissi).
