Tech Support
Documentation
Login
Contact Us
Multiple FreeImage Vulnerabilities Fixed in Ubuntu
Rohan Timalsina
February 21, 2024 - TuxCare expert team
Multiple vulnerabilities were discovered in FreeImage, an open-source support library for graphic image formats. These vulnerabilities, when left unaddressed, could potentially lead to denial of service attacks. On 16th January 2024, the Ubuntu security team released critical security updates addressing several FreeImage vulnerabilities in different Ubuntu releases, including Ubuntu 16.04 and Ubuntu 18.04.
However, both releases have reached the end of life, so the security updates are only available if you have an Ubuntu Pro subscription. Alternatively, you can opt for an affordable option to secure your Ubuntu 16.04 and Ubuntu 18.04 workloads with TuxCare’s Extended Lifecycle Support.
TuxCare provides five additional years of vendor-grade security patches for Ubuntu 16.04 and Ubuntu 18.04 after the EOL period. With no security updates, the EOL systems are at high risk of successful exploits. But with TuxCare, you can continue receiving security patches and maintain the security as well as compliance of your Ubuntu 16.04 and Ubuntu 18.04 servers.
What is FreeImage Library
The FreeImage library is an open-source, cross-platform image processing library that supports various image formats, such as PNG, BMP, JPEG, TIFF, and others. It provides developers with a comprehensive set of tools for loading, saving, converting, and manipulating images in their software applications. FreeImage is widely used in graphics-related software development due to its versatility, ease of use, and extensive format support.
FreeImage is available in two versions: a binary DLL distribution, seamlessly linkable with any WIN32 or WIN64 C/C++ compiler, and a source distribution. You can get them from the official download page.
Ubuntu Fixes 5 FreeImage Vulnerabilities
As mentioned in the Ubuntu Security Notice, several Ubuntu versions, including Ubuntu 23.10, Ubuntu 23.04, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04, Ubuntu 16.04, and Ubuntu 14.04 were affected.
CVE-2019-12211 (Cvss 3 Severity Score: 7.5 High)
This vulnerability revolves around FreeImage’s mishandling of certain memory operations. Crafted TIFF files could trigger a heap buffer overflow, potentially leading to a denial of service attack. This vulnerability only impacted Ubuntu 16.04 LTS and Ubuntu 20.04 LTS.
CVE-2019-12213 (Cvss 3 Severity Score: 6.5 Medium)
Here, FreeImage incorrectly processes images under certain conditions. Similar to the previous vulnerability, crafted TIFF files could allow attackers to cause a stack exhaustion condition, resulting in a denial of service. Ubuntu 16.04 LTS and Ubuntu 20.04 LTS are only the affected versions.
CVE-2020-21427 & CVE-2020-21428 (Cvss 3 Severity Score: 7.8 High)
These buffer overflow vulnerabilities stem from FreeImage’s incorrect processing of certain images via a crafted image file. A remote attacker could exploit these flaws to cause a denial of service or execute arbitrary code.
CVE-2020-22524 (Cvss 3 Severity Score: 6.5 Medium)
This vulnerability involves the incorrect processing of certain image files by FreeImage. A specifically crafted PFM file could lead to a buffer overflow vulnerability, which can be exploited by attackers to cause a denial of service.
Conclusion
The Ubuntu security updates highlight the ongoing efforts to safeguard against vulnerabilities within popular libraries like FreeImage. By staying informed and proactive in applying security patches, users can contribute to a safer and more resilient computing environment. Ubuntu users are strongly advised to update their FreeImage versions to the latest version promptly.
Debian 11 and Debian 12 received the fixes for these vulnerabilities on December 17, 2023, and Debian users are also advised to upgrade the existing installations of freeimage packages.
TuxCare’s KernelCare Enterprise offers live patching services for Linux, eliminating the need to restart the system or schedule maintenance windows. The supported distributions include all popular enterprise distros, such as Ubuntu, Debian, RHEL, CentOS, AlmaLinux, Rocky Linux, and Oracle Linux. Additionally, KernelCare Enterprise automates the deployment of security patches, ensuring they are applied immediately throughout your Linux ecosystem.
Source: USN-6586-1
