Vulnerabilities > CVE-2016-5684 - Out-of-bounds Write vulnerability in Freeimage Project Freeimage 3.17.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2016-4529E034CA.NASL description Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-10-13 plugin id 94025 published 2016-10-13 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94025 title Fedora 24 : mingw-freeimage (2016-4529e034ca) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-4529e034ca. # include("compat.inc"); if (description) { script_id(94025); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5684"); script_xref(name:"FEDORA", value:"2016-4529e034ca"); script_name(english:"Fedora 24 : mingw-freeimage (2016-4529e034ca)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-4529e034ca" ); script_set_attribute( attribute:"solution", value:"Update the affected mingw-freeimage package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-freeimage"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"mingw-freeimage-3.17.0-4.fc24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw-freeimage"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-121.NASL description This update for freeimage fixes one issues. This security issue was fixed : - CVE-2016-5684: Prevent out-of-bounds write vulnerability in the XMP image handling functionality. A specially crafted XMP file could have caused an arbitrary memory overwrite resulting in code execution (boo#1002621). last seen 2020-06-05 modified 2018-02-01 plugin id 106551 published 2018-02-01 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106551 title openSUSE Security Update : freeimage (openSUSE-2018-121) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-121. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(106551); script_version("3.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5684"); script_name(english:"openSUSE Security Update : freeimage (openSUSE-2018-121)"); script_summary(english:"Check for the openSUSE-2018-121 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for freeimage fixes one issues. This security issue was fixed : - CVE-2016-5684: Prevent out-of-bounds write vulnerability in the XMP image handling functionality. A specially crafted XMP file could have caused an arbitrary memory overwrite resulting in code execution (boo#1002621)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1002621" ); script_set_attribute( attribute:"solution", value:"Update the affected freeimage packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freeimage-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freeimage-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimage3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimage3-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimageplus3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimageplus3-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"freeimage-debugsource-3.17.0-5.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"freeimage-devel-3.17.0-5.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreeimage3-3.17.0-5.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreeimage3-debuginfo-3.17.0-5.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreeimageplus3-3.17.0-5.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libfreeimageplus3-debuginfo-3.17.0-5.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeimage-debugsource / freeimage-devel / libfreeimage3 / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-5CBCAD7A9A.NASL description Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-10-13 plugin id 94026 published 2016-10-13 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94026 title Fedora 23 : freeimage (2016-5cbcad7a9a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-5cbcad7a9a. # include("compat.inc"); if (description) { script_id(94026); script_version("2.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-5684"); script_xref(name:"FEDORA", value:"2016-5cbcad7a9a"); script_name(english:"Fedora 23 : freeimage (2016-5cbcad7a9a)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-5cbcad7a9a" ); script_set_attribute( attribute:"solution", value:"Update the affected freeimage package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeimage"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC23", reference:"freeimage-3.17.0-7.fc23")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeimage"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-4247F42B66.NASL description Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-15 plugin id 94797 published 2016-11-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94797 title Fedora 25 : mingw-freeimage (2016-4247f42b66) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3692.NASL description Multiple vulnerabilities were discovered in the FreeImage multimedia library, which might result in denial of service or the execution of arbitrary code if a malformed XMP or RAW image is processed. last seen 2020-06-01 modified 2020-06-02 plugin id 94056 published 2016-10-14 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94056 title Debian DSA-3692-1 : freeimage - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201701-68.NASL description The remote host is affected by the vulnerability described in GLSA-201701-68 (FreeImage: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in in FreeImage. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to process a specially crafted image file, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96854 published 2017-01-30 reporter This script is Copyright (C) 2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96854 title GLSA-201701-68 : FreeImage: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2016-F55F5B10DC.NASL description Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-11-15 plugin id 94881 published 2016-11-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94881 title Fedora 25 : freeimage (2016-f55f5b10dc) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_5B1631DCEAFD11E69AC1A4BADB2F4699.NASL description TALOS reports : An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. last seen 2020-06-01 modified 2020-06-02 plugin id 109053 published 2018-04-16 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109053 title FreeBSD : freeimage -- code execution vulnerability (5b1631dc-eafd-11e6-9ac1-a4badb2f4699) NASL family Fedora Local Security Checks NASL id FEDORA_2016-CCA868C95F.NASL description Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-10-13 plugin id 94029 published 2016-10-13 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94029 title Fedora 23 : mingw-freeimage (2016-cca868c95f) NASL family Fedora Local Security Checks NASL id FEDORA_2016-D07987265B.NASL description Security fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-10-13 plugin id 94030 published 2016-10-13 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94030 title Fedora 24 : freeimage (2016-d07987265b) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3925-1.NASL description It was discovered that an out-of-bounds write vulnerability existed in the XMP Image handling functionality of the FreeImage library. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could overwrite arbitrary memory, resultin in code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123504 published 2019-03-29 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123504 title Ubuntu 14.04 LTS / 16.04 LTS : freeimage vulnerability (USN-3925-1)
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability. ### Tested Versions FreeImage 3.17.0 ### Product URLs http://freeimage.sourceforge.net/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details The FreeImage library is used by over 100+ programs according to http:// freeimage.sourceforge.net/users.html. Major consumers include the game engine Unity and Spamfighter, a major antispam filter developer. Consumers of this library often identify image files by calling a generic loader function such as FreeImage_GetFileType() to get a file type using a signature, or using the extension with the function FreeImageGetFIFFromFilename(). Once these have been called, the image is loaded using FreeImageLoad(). Since this often doesn't require a particular file format to be specified by the user of the library, it allows for easy loading and support of multiple file formats. However, this also means that file formats that a particular program doesn't intend to support, might be parsed by FreeImage anyway, regardless of extension. The vulnerability occurs in the file Source/FreeImage/PluginXPM.cpp in the function Load(), which is called when an XPM file is being loaded. At lines 177-207 the following code is present: ``` int width, height, colors, cpp; [178]if( sscanf(str, "%d %d %d %d", &width, &height, &colors, &cpp) != 4 ) { free(str); throw "Improperly formed info string"; } free(str); if (colors > 256) { dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); } else { dib = FreeImage_AllocateHeader(header_only, width, height, 8); } //build a map of color chars to rgb values std::map<std::string,FILE_RGBA> rawpal; //will store index in Alpha if 8bpp for(int i = 0; i < colors; i++ ) { FILE_RGBA rgba; str = ReadString(io, handle); if(!str) throw "Error reading color strings"; std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars [200]char *keys = str + cpp; //the color keys for these chars start after the first cpp chars //translate all the tabs to spaces char *tmp = keys; while( strchr(tmp,'\t') ) { tmp = strchr(tmp,'\t'); [206]*tmp++ = ' '; } ``` At line 178, the number of chars per pixel is provided and read into a signed integer. This value is then used without further checks at line 200 to find the start of the color keys area. This memory location is then written to by replacing tabs with spaces. ### Mitigation One way to mitigate this is to explicitly check wether a file is detected as being an XPM file by checking the return value of FreeImageGetFileType() or FreeImageGetFIFFromFilename(). If the return value of either of these functions is FIF_XPM, then the subsequent loading function should not be called. ### Timeline * 2016-07-29 - Vendor Disclosure * 2016-10-03 - Public Release |
id | SSV:96670 |
last seen | 2017-11-19 |
modified | 2017-10-12 |
published | 2017-10-12 |
reporter | Root |
title | FreeImage Library XMP Image Handling Code Execution Vulnerability(CVE-2016-5684) |
Talos
id | TALOS-2016-0189 |
last seen | 2019-05-29 |
published | 2016-10-03 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0189 |
title | FreeImage Library XMP Image Handling Code Execution Vulnerability |