Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650426 (CVE-2018-7587, CVE-2018-7588, CVE-2018-7589, CVE-2020-25693, CVE-2020-7637, CVE-2020-7638, CVE-2020-7639, CVE-2020-7640, CVE-2020-7641) - <media-libs/cimg-2.9.3: Multiple vulnerabilities (CVE-2018-{7587,7588,7589,7637,7638,7639,7640,7641}, CVE-2020-25693)
Summary: <media-libs/cimg-2.9.3: Multiple vulnerabilities (CVE-2018-{7587,7588,7589,76...
Status: RESOLVED FIXED
Alias: CVE-2018-7587, CVE-2018-7588, CVE-2018-7589, CVE-2020-25693, CVE-2020-7637, CVE-2020-7638, CVE-2020-7639, CVE-2020-7640, CVE-2020-7641
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2018-03-13 18:23 UTC by GLSAMaker/CVETool Bot
Modified: 2020-12-26 22:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-13 18:23:14 UTC
CVE-2018-7641 (https://nvd.nist.gov/vuln/detail/CVE-2018-7641):
  An issue was discovered in CImg v.220. A heap-based buffer over-read in
  load_bmp in CImg.h occurs when loading a crafted bmp image, a different
  vulnerability than CVE-2018-7588. This is in a "32 bits colors" case, aka
  case 32.

CVE-2018-7640 (https://nvd.nist.gov/vuln/detail/CVE-2018-7640):
  An issue was discovered in CImg v.220. A heap-based buffer over-read in
  load_bmp in CImg.h occurs when loading a crafted bmp image, a different
  vulnerability than CVE-2018-7588. This is in a Monochrome case, aka case 1.

CVE-2018-7639 (https://nvd.nist.gov/vuln/detail/CVE-2018-7639):
  An issue was discovered in CImg v.220. A heap-based buffer over-read in
  load_bmp in CImg.h occurs when loading a crafted bmp image, a different
  vulnerability than CVE-2018-7588. This is in a "16 bits colors" case, aka
  case 16.

CVE-2018-7638 (https://nvd.nist.gov/vuln/detail/CVE-2018-7638):
  An issue was discovered in CImg v.220. A heap-based buffer over-read in
  load_bmp in CImg.h occurs when loading a crafted bmp image, a different
  vulnerability than CVE-2018-7588. This is in a "256 colors" case, aka case
  8.

CVE-2018-7637 (https://nvd.nist.gov/vuln/detail/CVE-2018-7637):
  An issue was discovered in CImg v.220. A heap-based buffer over-read in
  load_bmp in CImg.h occurs when loading a crafted bmp image, a different
  vulnerability than CVE-2018-7588. This is in a "16 colors" case, aka case 4.

CVE-2018-7589 (https://nvd.nist.gov/vuln/detail/CVE-2018-7589):
  An issue was discovered in CImg v.220. A double free in load_bmp in CImg.h
  occurs when loading a crafted bmp image.

CVE-2018-7588 (https://nvd.nist.gov/vuln/detail/CVE-2018-7588):
  An issue was discovered in CImg v.220. A heap-based buffer over-read in
  load_bmp in CImg.h occurs when loading a crafted bmp image.

CVE-2018-7587 (https://nvd.nist.gov/vuln/detail/CVE-2018-7587):
  An issue was discovered in CImg v.220. DoS occurs when loading a crafted bmp
  image that triggers an allocation failure in load_bmp in CImg.h.


Package has no stable ebuild.
Comment 1 Sam James archtester gentoo-dev Security 2020-04-22 22:14:29 UTC
@maintainer(s): ping
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 22:15:35 UTC
CVE-2019-13568 (https://nvd.nist.gov/vuln/detail/CVE-2019-13568):
  CImg through 2.6.7 has a heap-based buffer overflow in _load_bmp in CImg.h
  because of erroneous memory allocation for a malformed BMP image.
Comment 3 John Helmert III gentoo-dev Security 2020-07-04 19:30:39 UTC
Looks like tree is clean:

commit c01b46bb951938e03cea9d69ace134a45ed45770
Author: Tim Harder <radhermit@gentoo.org>
Date:   Thu Sep 26 21:32:51 2019 -0600

    media-libs/cimg: remove old

    Signed-off-by: Tim Harder <radhermit@gentoo.org>

 delete mode 100644 media-libs/cimg/cimg-2.6.5.ebuild
 delete mode 100644 media-libs/cimg/cimg-2.6.7.ebuild
Comment 4 John Helmert III gentoo-dev Security 2020-07-06 20:28:33 UTC
CVE-2018-7588 and CVE-2018-7589 are patched by: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4

CVE-2018-{7637,7638,7639,7640,7641} are patched by: https://github.com/dtschump/CImg/commit/10af1e8c1ad2a58a0a3342a856bae63e8f257abb

CVE-2019-13568 is patched by: https://github.com/dtschump/CImg/commit/ac8003393569aba51048c9d67e1491559877b1d1

Can't find a patch for CVE-2018-7587, but it was found around the same time as a few of the others (https://github.com/xiaoqx/pocs/tree/master/cimg) so it's likely it's patched.

Not sure if these are all patched in the version we have:

CImg $ git tag --contains=8447076
v.2.2.2
v.2.2.3
v.221
CImg $ git tag --contains=10af1e8
v.2.2.2
v.2.2.3
v.221
CImg $ git tag --contains=ac800339
v.2.7.0
v.2.7.1
v.2.7.2
v.2.7.3
v.2.7.4
v.2.7.5
v.2.8.0
v.2.8.1
v.2.8.2
v.2.8.3
v.2.8.4
v.2.9.0
v.2.9.1
Comment 5 Sam James archtester gentoo-dev Security 2020-12-05 00:19:38 UTC
* CVE-2020-25693

Description:
"A flaw was found in CImg in versions prior to 2.9.3. Integer overflows leading to heap buffer overflows in load_pnm() can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity."

RH bug: https://bugzilla.redhat.com/show_bug.cgi?id=1893377

"...because the above calculations are used in allocation of heap memory, the flaw can lead to arbitrary heap memory write in subsequent code when specially crafted input is provided to CImg. It is more likely to occur on platforms where the `size_t` type is 32-bit."
Comment 6 Larry the Git Cow gentoo-dev 2020-12-26 22:11:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5b3bafccd8614098028fbff39944f99b3e969d2

commit f5b3bafccd8614098028fbff39944f99b3e969d2
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-12-18 02:36:09 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-12-26 22:11:15 +0000

    media-libs/cimg: security bump to 2.9.3
    
    Bug: https://bugs.gentoo.org/650426
    
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18700
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/cimg/Manifest          |  1 +
 media-libs/cimg/cimg-2.9.3.ebuild | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
Comment 7 Andreas Sturmlechner gentoo-dev 2020-12-26 22:12:41 UTC
Package just installs some header and has no consumers? I'm confused. Anyway.
Comment 8 Larry the Git Cow gentoo-dev 2020-12-26 22:13:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09a6fb8b50373f845d43c3ca668f937e629bd3b1

commit 09a6fb8b50373f845d43c3ca668f937e629bd3b1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-12-26 22:13:03 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-12-26 22:13:03 +0000

    media-libs/cimg: Security cleanup
    
    Bug: https://bugs.gentoo.org/650426
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/cimg/Manifest          |  2 --
 media-libs/cimg/cimg-2.9.0.ebuild | 26 --------------------------
 media-libs/cimg/cimg-2.9.1.ebuild | 26 --------------------------
 3 files changed, 54 deletions(-)
Comment 9 John Helmert III gentoo-dev Security 2020-12-26 22:16:56 UTC
Thanks asturm, all done.