[Urgent security issue] FreeImage arbitrary code execution vulnerability

[lavenderdotpet]

main 2 I think is the most important to point out

• [CVE-2023-47994]
• [CVE-2023-47992]

both of these can run arbitrary code one of them being from the BMP plugin
so I am assuming a person could get a user to load a malicious BMP or a file with a malicious bpm inside of it

Free Image should either be forked and fixed asap or abandoned for a different library

active project i could find that use freeimage
https://github.com/sirjuddington/SLADE
https://github.com/TrenchBroom/TrenchBroom
https://github.com/RetroPie/EmulationStation
https://github.com/MonoGame/MonoGame
https://github.com/meganz/MEGAsync
https://github.com/OGRECave/ogre
https://github.com/OGRECave/ogre-next
https://github.com/Open-Cascade-SAS/OCCT
https://github.com/arrayfire/forge
https://git.sr.ht/~exec64/imv
https://github.com/arrayfire/arrayfire

Free Image v3.18.0

• [CVE-2021-33367] (https://nvd.nist.gov/vuln/detail/CVE-2021-33367)
  Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.

• [CVE-2023-47992] (https://nvd.nist.gov/vuln/detail/CVE-2023-47992)
  An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows attackers to obtain sensitive information, cause a denial-of-service attacks and/or run arbitrary code.

• [CVE-2023-47993] (https://nvd.nist.gov/vuln/detail/CVE-2023-47993)
  A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in FreeImage 3.18.0 allows attackers to cause a denial-of-service.

• [CVE-2023-47994] (https://nvd.nist.gov/vuln/detail/CVE-2023-47994)
  An integer overflow vulnerability in LoadPixelDataRLE4 function in PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain sensitive information, cause a denial of service and/or run arbitrary code.

• [CVE-2023-47995] (https://nvd.nist.gov/vuln/detail/CVE-2023-47995)
  Memory Allocation with Excessive Size Value discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0 allows attackers to cause a denial of service.

• [CVE-2023-47996] (https://nvd.nist.gov/vuln/detail/CVE-2023-47996)
  An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in FreeImage 3.18.0 allows attackers to obtain information and cause a denial of service.

Free Image before v1.18.0

• [CVE-2021-40262] (https://nvd.nist.gov/vuln/detail/CVE-2021-40262)
  A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.

• [CVE-2021-40263] (https://nvd.nist.gov/vuln/detail/CVE-2021-40263)
  A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad function in PluginTIFF.cpp.

• [CVE-2021-40264] (https://nvd.nist.gov/vuln/detail/CVE-2021-40264)
  NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

• [CVE-2021-40265] (https://nvd.nist.gov/vuln/detail/CVE-2021-40265)
  A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function in PluginJPEG.cpp.

• [CVE-2021-40266] (https://nvd.nist.gov/vuln/detail/CVE-2021-40266)
  FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

[9prady9]

Do you have any recommendations for freeimage replacement ? Is this vulnerability only in the latest 3.18 version ? Are previous versions free of this problem ?