Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerabilities were published for freeimage. These don't appear to have been reported upstream, could you check with the upstream developers? CVE-2023-47992[0]: | An integer overflow vulnerability in | FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows | attackers to obtain sensitive information, cause a denial-of-service | attacks and/or run arbitrary code. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992 CVE-2023-47993[1]: | A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in | FreeImage 3.18.0 allows attackers to cause a denial-of-service. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993 CVE-2023-47994[2]: | An integer overflow vulnerability in LoadPixelDataRLE4 function in | PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain | sensitive information, cause a denial of service and/or run | arbitrary code. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994 CVE-2023-47996[4]: | An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in | FreeImage 3.18.0 allows attackers to obtain information and cause a | denial of service. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996 CVE-2023-47997[5]: | An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in | FreeImage 3.18.0 leads to an infinite loop and allows attackers to | cause a denial of service. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47992 https://www.cve.org/CVERecord?id=CVE-2023-47992 [1] https://security-tracker.debian.org/tracker/CVE-2023-47993 https://www.cve.org/CVERecord?id=CVE-2023-47993 [2] https://security-tracker.debian.org/tracker/CVE-2023-47994 https://www.cve.org/CVERecord?id=CVE-2023-47994 [3] https://security-tracker.debian.org/tracker/CVE-2023-47995 https://www.cve.org/CVERecord?id=CVE-2023-47995 [4] https://security-tracker.debian.org/tracker/CVE-2023-47996 https://www.cve.org/CVERecord?id=CVE-2023-47996 [5] https://security-tracker.debian.org/tracker/CVE-2023-47997 https://www.cve.org/CVERecord?id=CVE-2023-47997 Please adjust the affected versions in the BTS as needed.
