Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559006 (CVE-2015-0852) - <media-libs/freeimage-3.15.4-r1: integer overflow
Summary: <media-libs/freeimage-3.15.4-r1: integer overflow
Status: RESOLVED FIXED
Alias: CVE-2015-0852
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2016-5684
Blocks:
  Show dependency tree
 
Reported: 2015-08-28 08:33 UTC by Agostino Sarubbo
Modified: 2017-01-29 16:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-08-28 08:33:44 UTC
From ${URL} :

Name : FreeImage
Affected Version: <= 3.17.0
URL : http://freeimage.sourceforge.net/

Description :
An integer overflow issue in the FreeImage project was reported and fixed recently.
Upstream fix: Revision 1.18 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=log&pathrev=MAIN

Details:

The PluginPCX.cpp file(version 3.17.0) has:

371 unsigned width = header.window[2] - header.window[0] + 1;
372 unsigned height = header.window[3] - header.window[1] + 1;
373 unsigned bitcount = header.bpp * header.planes;

However, it's possible that header.window[2] < header.window[0], and also header.window[3] < header.window[1]. In this two cases, width and height can be overflowed. And this can lead further issue in the rest of the code. Take the following lines for example:

568 for (x = 0; x < width; x++) {
569 bits[x * 3 + FI_RGBA_RED] = pline[x];
570 }

The write operation on buffer bits can help an attacker to corrupt the heap.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 David Seifert gentoo-dev 2017-01-21 20:04:42 UTC
commit 19aae64ac3dfc8945dbf9c4edccd835778f81c1d
Author: David Seifert <soap@gentoo.org>
Date:   Sat Jan 21 21:01:22 2017 +0100

    media-libs/freeimage: Add patches for CVE-2015-0852 and CVE-2016-5684
    
    Gentoo-bug: 559006, 596350
    * EAPI=6
    * Make patches -p1 compliant
Comment 2 David Seifert gentoo-dev 2017-01-22 15:39:21 UTC
commit fd7524a9b5584c1fa2d8fa0ed209c217bc0dffc7
Author: David Seifert <soap@gentoo.org>
Date:   Sun Jan 22 16:38:32 2017 +0100

    media-libs/freeimage: Remove old
    
    Gentoo-bug: 559006, 596350
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-23 08:27:11 UTC
Added to existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 16:16:13 UTC
This issue was resolved and addressed in
 GLSA 201701-68 at https://security.gentoo.org/glsa/201701-68
by GLSA coordinator Thomas Deutschmann (whissi).