[Urgent security issue] FreeImage arbitrary code execution vulnerability

[lavenderdotpet]

main 2 I think is the most important to point out

• [CVE-2023-47994]
• [CVE-2023-47992]

both of these can run arbitrary code one of them being from the BMP plugin so I am assuming a person could get a user to load a malicious BMP or a file with a malicious bpm inside of it

Free Image should either be forked and fixed asap or abandoned for a different library

active project i could find that use freeimage https://github.com/sirjuddington/SLADE https://github.com/TrenchBroom/TrenchBroom https://github.com/RetroPie/EmulationStation https://github.com/MonoGame/MonoGame https://github.com/meganz/MEGAsync https://github.com/OGRECave/ogre https://github.com/OGRECave/ogre-next https://github.com/Open-Cascade-SAS/OCCT https://github.com/arrayfire/forge https://git.sr.ht/~exec64/imv https://github.com/arrayfire/arrayfire

Free Image v3.18.0

• [CVE-2021-33367] (https://nvd.nist.gov/vuln/detail/CVE-2021-33367) Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.

• [CVE-2023-47992] (https://nvd.nist.gov/vuln/detail/CVE-2023-47992) An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows attackers to obtain sensitive information, cause a denial-of-service attacks and/or run arbitrary code.

• [CVE-2023-47993] (https://nvd.nist.gov/vuln/detail/CVE-2023-47993) A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in FreeImage 3.18.0 allows attackers to cause a denial-of-service.

• [CVE-2023-47994] (https://nvd.nist.gov/vuln/detail/CVE-2023-47994) An integer overflow vulnerability in LoadPixelDataRLE4 function in PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain sensitive information, cause a denial of service and/or run arbitrary code.

• [CVE-2023-47995] (https://nvd.nist.gov/vuln/detail/CVE-2023-47995) Memory Allocation with Excessive Size Value discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0 allows attackers to cause a denial of service.

• [CVE-2023-47996] (https://nvd.nist.gov/vuln/detail/CVE-2023-47996) An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in FreeImage 3.18.0 allows attackers to obtain information and cause a denial of service.

Free Image before v1.18.0

• [CVE-2021-40262] (https://nvd.nist.gov/vuln/detail/CVE-2021-40262) A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.

• [CVE-2021-40263] (https://nvd.nist.gov/vuln/detail/CVE-2021-40263) A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad function in PluginTIFF.cpp.

• [CVE-2021-40264] (https://nvd.nist.gov/vuln/detail/CVE-2021-40264) NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

• [CVE-2021-40265] (https://nvd.nist.gov/vuln/detail/CVE-2021-40265) A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function in PluginJPEG.cpp.

• [CVE-2021-40266] (https://nvd.nist.gov/vuln/detail/CVE-2021-40266) FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

[darksylinc]

Thanks for reporting this issue.

We've recently moved to FreeImageRe by default to address the issue of FreeImage being stale for years and unaddressed vulnerabilities.

Fortunately most use-cases (but not all of them) of OgreNext involve only loading images from trusted sources; but nonetheless they should be addressed.

If I read correctly CVE-2023-47994 & CVE-2023-47992 do not propose a fix or patch?