Vulnerabilities > CVE-2016-5684 - Out-of-bounds Write vulnerability in Freeimage Project Freeimage 3.17.0

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Freeimage_Project
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-4529E034CA.NASL
    descriptionSecurity fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-10-13
    plugin id94025
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94025
    titleFedora 24 : mingw-freeimage (2016-4529e034ca)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-4529e034ca.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94025);
      script_version("2.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-5684");
      script_xref(name:"FEDORA", value:"2016-4529e034ca");
    
      script_name(english:"Fedora 24 : mingw-freeimage (2016-4529e034ca)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2016-5684
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-4529e034ca"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected mingw-freeimage package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-freeimage");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC24", reference:"mingw-freeimage-3.17.0-4.fc24")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw-freeimage");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-121.NASL
    descriptionThis update for freeimage fixes one issues. This security issue was fixed : - CVE-2016-5684: Prevent out-of-bounds write vulnerability in the XMP image handling functionality. A specially crafted XMP file could have caused an arbitrary memory overwrite resulting in code execution (boo#1002621).
    last seen2020-06-05
    modified2018-02-01
    plugin id106551
    published2018-02-01
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106551
    titleopenSUSE Security Update : freeimage (openSUSE-2018-121)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-121.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106551);
      script_version("3.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-5684");
    
      script_name(english:"openSUSE Security Update : freeimage (openSUSE-2018-121)");
      script_summary(english:"Check for the openSUSE-2018-121 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for freeimage fixes one issues.
    
    This security issue was fixed :
    
      - CVE-2016-5684: Prevent out-of-bounds write vulnerability
        in the XMP image handling functionality. A specially
        crafted XMP file could have caused an arbitrary memory
        overwrite resulting in code execution (boo#1002621)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1002621"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freeimage packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freeimage-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:freeimage-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimage3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimage3-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimageplus3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfreeimageplus3-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"freeimage-debugsource-3.17.0-5.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"freeimage-devel-3.17.0-5.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libfreeimage3-3.17.0-5.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libfreeimage3-debuginfo-3.17.0-5.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libfreeimageplus3-3.17.0-5.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libfreeimageplus3-debuginfo-3.17.0-5.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeimage-debugsource / freeimage-devel / libfreeimage3 / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-5CBCAD7A9A.NASL
    descriptionSecurity fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-10-13
    plugin id94026
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94026
    titleFedora 23 : freeimage (2016-5cbcad7a9a)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-5cbcad7a9a.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94026);
      script_version("2.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-5684");
      script_xref(name:"FEDORA", value:"2016-5cbcad7a9a");
    
      script_name(english:"Fedora 23 : freeimage (2016-5cbcad7a9a)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2016-5684
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-5cbcad7a9a"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected freeimage package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeimage");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC23", reference:"freeimage-3.17.0-7.fc23")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeimage");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-4247F42B66.NASL
    descriptionSecurity fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94797
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94797
    titleFedora 25 : mingw-freeimage (2016-4247f42b66)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3692.NASL
    descriptionMultiple vulnerabilities were discovered in the FreeImage multimedia library, which might result in denial of service or the execution of arbitrary code if a malformed XMP or RAW image is processed.
    last seen2020-06-01
    modified2020-06-02
    plugin id94056
    published2016-10-14
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94056
    titleDebian DSA-3692-1 : freeimage - security update
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-68.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-68 (FreeImage: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in in FreeImage. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to process a specially crafted image file, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96854
    published2017-01-30
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96854
    titleGLSA-201701-68 : FreeImage: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-F55F5B10DC.NASL
    descriptionSecurity fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94881
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94881
    titleFedora 25 : freeimage (2016-f55f5b10dc)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_5B1631DCEAFD11E69AC1A4BADB2F4699.NASL
    descriptionTALOS reports : An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library.
    last seen2020-06-01
    modified2020-06-02
    plugin id109053
    published2018-04-16
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109053
    titleFreeBSD : freeimage -- code execution vulnerability (5b1631dc-eafd-11e6-9ac1-a4badb2f4699)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-CCA868C95F.NASL
    descriptionSecurity fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-10-13
    plugin id94029
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94029
    titleFedora 23 : mingw-freeimage (2016-cca868c95f)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-D07987265B.NASL
    descriptionSecurity fix for CVE-2016-5684 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-10-13
    plugin id94030
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94030
    titleFedora 24 : freeimage (2016-d07987265b)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3925-1.NASL
    descriptionIt was discovered that an out-of-bounds write vulnerability existed in the XMP Image handling functionality of the FreeImage library. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could overwrite arbitrary memory, resultin in code execution. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123504
    published2019-03-29
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123504
    titleUbuntu 14.04 LTS / 16.04 LTS : freeimage vulnerability (USN-3925-1)

Seebug

bulletinFamilyexploit
description### Summary An exploitable out-of-bounds write vulnerability exists in the XMP image handling functionality of the FreeImage library. A specially crafted XMP file can cause an arbitrary memory overwrite resulting in code execution. An attacker can provide a malicious image to trigger this vulnerability. ### Tested Versions FreeImage 3.17.0 ### Product URLs http://freeimage.sourceforge.net/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details The FreeImage library is used by over 100+ programs according to http:// freeimage.sourceforge.net/users.html. Major consumers include the game engine Unity and Spamfighter, a major antispam filter developer. Consumers of this library often identify image files by calling a generic loader function such as FreeImage_GetFileType() to get a file type using a signature, or using the extension with the function FreeImageGetFIFFromFilename(). Once these have been called, the image is loaded using FreeImageLoad(). Since this often doesn't require a particular file format to be specified by the user of the library, it allows for easy loading and support of multiple file formats. However, this also means that file formats that a particular program doesn't intend to support, might be parsed by FreeImage anyway, regardless of extension. The vulnerability occurs in the file Source/FreeImage/PluginXPM.cpp in the function Load(), which is called when an XPM file is being loaded. At lines 177-207 the following code is present: ``` int width, height, colors, cpp; [178]if( sscanf(str, "%d %d %d %d", &width, &height, &colors, &cpp) != 4 ) { free(str); throw "Improperly formed info string"; } free(str); if (colors > 256) { dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); } else { dib = FreeImage_AllocateHeader(header_only, width, height, 8); } //build a map of color chars to rgb values std::map<std::string,FILE_RGBA> rawpal; //will store index in Alpha if 8bpp for(int i = 0; i < colors; i++ ) { FILE_RGBA rgba; str = ReadString(io, handle); if(!str) throw "Error reading color strings"; std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars [200]char *keys = str + cpp; //the color keys for these chars start after the first cpp chars //translate all the tabs to spaces char *tmp = keys; while( strchr(tmp,'\t') ) { tmp = strchr(tmp,'\t'); [206]*tmp++ = ' '; } ``` At line 178, the number of chars per pixel is provided and read into a signed integer. This value is then used without further checks at line 200 to find the start of the color keys area. This memory location is then written to by replacing tabs with spaces. ### Mitigation One way to mitigate this is to explicitly check wether a file is detected as being an XPM file by checking the return value of FreeImageGetFileType() or FreeImageGetFIFFromFilename(). If the return value of either of these functions is FIF_XPM, then the subsequent loading function should not be called. ### Timeline * 2016-07-29 - Vendor Disclosure * 2016-10-03 - Public Release
idSSV:96670
last seen2017-11-19
modified2017-10-12
published2017-10-12
reporterRoot
titleFreeImage Library XMP Image Handling Code Execution Vulnerability(CVE-2016-5684)

Talos

idTALOS-2016-0189
last seen2019-05-29
published2016-10-03
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0189
titleFreeImage Library XMP Image Handling Code Execution Vulnerability