When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load
function of the PluginTIFF.cpp file, but a memcpy occurs in which the
destination address and the size of the copied data are not considered,
resulting in a heap overflow.
When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory
function in PluginTIFF.cpp always returns 1, leading to stack exhaustion.
@maintainer(s): ping, looks like this has patches
The bug has been referenced in the following commit(s):
Author: John Helmert III <email@example.com>
AuthorDate: 2020-07-11 19:05:59 +0000
Commit: James Le Cuirot <firstname.lastname@example.org>
CommitDate: 2020-07-19 11:58:58 +0000
media-libs/freeimage: Revbump + security patch
Package-Manager: Portage-2.3.103, Repoman-2.3.23
Signed-off-by: John Helmert III <email@example.com>
Signed-off-by: James Le Cuirot <firstname.lastname@example.org>
...mage-3.18.0-CVE-2019-12211-CVE-2019-12213.patch | 193 +++++++++++++++++++++
media-libs/freeimage/freeimage-3.18.0-r2.ebuild | 119 +++++++++++++
2 files changed, 312 insertions(+)
(In reply to James Le Cuirot from comment #3)
Thanks, let us know when it's ready to stable!
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.