[Urgent security issue] FreeImage arbitrary code execution vulnerability

[MissLavender-LQ]

Prerequisites

• I have verified this issue is present in the develop branch
• I have searched open and closed issues to ensure it has not already been reported.

MonoGame Version

na

Which MonoGame platform are you using?

N/A

Operating System

na

Description

main 2 I think is the most important to point out

• [CVE-2023-47994]
• [CVE-2023-47992]

both of these can run arbitrary code one of them being from the BMP plugin
so I am assuming a person could get a user to load a malicious BMP or a file with a malicious bpm inside of it

Free Image should either be forked and fixed asap or abandoned for a different library

active project i could find that use freeimage
https://github.com/sirjuddington/SLADE
https://github.com/TrenchBroom/TrenchBroom
https://github.com/RetroPie/EmulationStation
https://github.com/MonoGame/MonoGame
https://github.com/meganz/MEGAsync
https://github.com/OGRECave/ogre
https://github.com/OGRECave/ogre-next
https://github.com/Open-Cascade-SAS/OCCT
https://github.com/arrayfire/forge
https://git.sr.ht/~exec64/imv
https://github.com/arrayfire/arrayfire

Free Image v3.18.0

• [CVE-2021-33367] (https://nvd.nist.gov/vuln/detail/CVE-2021-33367)
  Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to cause a denial of service via a crafted JXR file.

• [CVE-2023-47992] (https://nvd.nist.gov/vuln/detail/CVE-2023-47992)
  An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows attackers to obtain sensitive information, cause a denial-of-service attacks and/or run arbitrary code.

• [CVE-2023-47993] (https://nvd.nist.gov/vuln/detail/CVE-2023-47993)
  A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in FreeImage 3.18.0 allows attackers to cause a denial-of-service.

• [CVE-2023-47994] (https://nvd.nist.gov/vuln/detail/CVE-2023-47994)
  An integer overflow vulnerability in LoadPixelDataRLE4 function in PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain sensitive information, cause a denial of service and/or run arbitrary code.

• [CVE-2023-47995] (https://nvd.nist.gov/vuln/detail/CVE-2023-47995)
  Memory Allocation with Excessive Size Value discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0 allows attackers to cause a denial of service.

• [CVE-2023-47996] (https://nvd.nist.gov/vuln/detail/CVE-2023-47996)
  An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in FreeImage 3.18.0 allows attackers to obtain information and cause a denial of service.

Free Image before v1.18.0

• [CVE-2021-40262] (https://nvd.nist.gov/vuln/detail/CVE-2021-40262)
  A stack exhaustion issue was discovered in FreeImage before 1.18.0 via the Validate function in PluginRAW.cpp.

• [CVE-2021-40263] (https://nvd.nist.gov/vuln/detail/CVE-2021-40263)
  A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad function in PluginTIFF.cpp.

• [CVE-2021-40264] (https://nvd.nist.gov/vuln/detail/CVE-2021-40264)
  NULL pointer dereference vulnerability in FreeImage before 1.18.0 via the FreeImage_CloneTag function inFreeImageTag.cpp.

• [CVE-2021-40265] (https://nvd.nist.gov/vuln/detail/CVE-2021-40265)
  A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function in PluginJPEG.cpp.

• [CVE-2021-40266] (https://nvd.nist.gov/vuln/detail/CVE-2021-40266)
  FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vulnerabile to null pointer dereference.

Steps to Reproduce

na

Minimal Example Repo

No response

Expected Behavior

na

Resulting Behavior

na

Files

na

[dpasukhi]

FreeImage out of maintance for a while.
It is not clear how to fix all of them beeng out of maintance.
Probably only one alive solution is https://github.com/WinMerge/freeimage

[mrhelmut]

Nothing alarming in my book and there is no action to take from developers using MonoGame. Games made with MonoGame are not exposed (because freeimage is not used by games themselves).

---

It should be easy to replace freeimage with StbImageSharp, which MonoGame already uses in other places. That would be a native dependency that we don't need anymore, which is always good.

Note that freeimage is only used by the content pipeline when importing image files (i.e. building XNBs). It is never used at runtime (and does not ship with games) and therefore games made with MonoGame are unbothered by this vulnerability (unless someone explicitly embed the content pipeline into a game, which is very unlikely).

TL;DR; it is very unlikely that this vulnerability can be exploited with MonoGame and if it does it would affect only developers, not players. It's easy to replace freeimage entirely, though.