Vulnerabilities > CVE-2019-12211 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load function of the PluginTIFF.cpp file, but a memcpy occurs in which the destination address and the size of the copied data are not considered, resulting in a heap overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4593.NASL description It was found that freeimage, a graphics library, was affected by the following two security issues : - CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. - CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data. last seen 2020-06-01 modified 2020-06-02 plugin id 132424 published 2019-12-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132424 title Debian DSA-4593-1 : freeimage - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4593. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(132424); script_version("1.2"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2019-12211", "CVE-2019-12213"); script_xref(name:"DSA", value:"4593"); script_name(english:"Debian DSA-4593-1 : freeimage - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was found that freeimage, a graphics library, was affected by the following two security issues : - CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. - CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-12211" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2019-12213" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/freeimage" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/freeimage" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/freeimage" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4593" ); script_set_attribute( attribute:"solution", value: "Upgrade the freeimage packages. For the oldstable distribution (stretch), these problems have been fixed in version 3.17.0+ds1-5+deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.18.0+ds2-1+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:freeimage"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"libfreeimage-dev", reference:"3.18.0+ds2-1+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libfreeimage3", reference:"3.18.0+ds2-1+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libfreeimageplus-dev", reference:"3.18.0+ds2-1+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libfreeimageplus-doc", reference:"3.18.0+ds2-1+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libfreeimageplus3", reference:"3.18.0+ds2-1+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimage-dev", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimage3", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimage3-dbg", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimageplus-dev", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimageplus-doc", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimageplus3", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libfreeimageplus3-dbg", reference:"3.17.0+ds1-5+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2019-655994894E.NASL description Backport fixes for CVE-2019-12211 and 2019-12213 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131335 published 2019-11-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131335 title Fedora 31 : freeimage / mingw-freeimage (2019-655994894e) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-655994894e. # include("compat.inc"); if (description) { script_id(131335); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2019-12211", "CVE-2019-12213"); script_xref(name:"FEDORA", value:"2019-655994894e"); script_name(english:"Fedora 31 : freeimage / mingw-freeimage (2019-655994894e)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Backport fixes for CVE-2019-12211 and 2019-12213 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-655994894e" ); script_set_attribute( attribute:"solution", value:"Update the affected freeimage and / or mingw-freeimage packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:freeimage"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-freeimage"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC31", reference:"freeimage-3.18.0-6.fc31")) flag++; if (rpm_check(release:"FC31", reference:"mingw-freeimage-3.18.0-7.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "freeimage / mingw-freeimage"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2031.NASL description It was found that freeimage, a graphics library, was affected by the following two security issues : CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 131964 published 2019-12-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131964 title Debian DLA-2031-1 : freeimage security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-2031-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(131964); script_version("1.2"); script_cvs_date("Date: 2019/12/16"); script_cve_id("CVE-2019-12211", "CVE-2019-12213"); script_name(english:"Debian DLA-2031-1 : freeimage security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was found that freeimage, a graphics library, was affected by the following two security issues : CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data. For Debian 8 'Jessie', these problems have been fixed in version 3.15.4-4.2+deb8u2. We recommend that you upgrade your freeimage packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/12/msg00012.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/freeimage" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libfreeimage-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libfreeimage3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libfreeimage3-dbg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libfreeimage-dev", reference:"3.15.4-4.2+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"libfreeimage3", reference:"3.15.4-4.2+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"libfreeimage3-dbg", reference:"3.15.4-4.2+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2019-76F546B7B8.NASL description Backport fixes for CVE-2019-12211 and 2019-12213 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131337 published 2019-11-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131337 title Fedora 30 : freeimage / mingw-freeimage (2019-76f546b7b8)
References
- https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
- https://lists.debian.org/debian-lts-announce/2019/12/msg00012.html
- https://www.debian.org/security/2019/dsa-4593
- https://seclists.org/bugtraq/2019/Dec/45
- https://usn.ubuntu.com/4529-1/
- https://security.gentoo.org/glsa/202107-02
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PUWVVP67FYM4GMWD7TPQ7C7JPPRUZHYE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZ7KBYPPNRMX7RRWVJSX4T63E3TFB6TG/