[SECURITY] [DLA 3662-1] freeimage security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3662-1] freeimage security update
From: gladk@debian.org
Date: Sat, 25 Nov 2023 22:36:10 +0100 (CET)
Message-id: <[🔎] 20231125213610.86F204A03B7@localhost.localdomain>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3662-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Anton Gladky
November 24, 2023                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : freeimage
Version        : 3.18.0+ds2-1+deb10u2
CVE ID         : CVE-2020-21427 CVE-2020-21428 CVE-2020-22524

Multiple vulnerabilities were discovered in freeimage, library for graphics
image formats.

  CVE-2020-21427
    Buffer overflow vulnerability in function LoadPixelDataRLE8
    in PluginBMP.cpp allows remote attackers to run arbitrary code and cause
    other impacts via crafted image file.

  CVE-2020-21428
    Buffer overflow vulnerability in function LoadRGB in
    PluginDDS.cpp allows remote attackers to run arbitrary code and cause other
    impacts via crafted image file.

  CVE-2020-22524
    Buffer overflow vulnerability in FreeImage_Load function
    allows remote attackers to run arbitrary code and cause other
    impacts via crafted PFM file.

For Debian 10 buster, these problems have been fixed in version
3.18.0+ds2-1+deb10u2.

We recommend that you upgrade your freeimage packages.

For the detailed security status of freeimage please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freeimage

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmViaMcACgkQ0+Fzg8+n
/wbfcA//RfK84oSrGHPa0vBYrx8iGy+EjQWEvG9nxI6dfBHUAxi0m/Mq/qC2gv28
L3i5bPnP88DMhSfmLt0TfDBoHNfxiU/PbUuVNJ0ZLILl4pJ1IXrrPr1/yOFp4Wfs
cuknlSG3j1BoFmZvRCkGUNpGObn1fYGxe6+U7bo0oB9X+56+J70rSCbH6pJwOIqs
50nvJ7BQZOxFGLkm8emcqBjUU/2EjeNNm5noJBK6S8/v1jYy4n2pPKkV6RYwTkjc
7bLl5c14aqa5PPmgl3rMQY/XAQoafxiHvjVWsaxM92lQoITBFn+LJMpfoC27RKrH
iR5jJO3OIR8nsWz8uVgtphgRKS44Rj+F+E0/EAT07D/g0esKgM8216FPyI6MfWNW
L0ttCX70TLupUxDqxyYr1VWaEUlgX374pwahPqA2bFkSVgiBhJ+Z9PpFkcFI5LkA
G06EDmLq2gZik8Bi0kJvDNx/4NIogBAeaSnZrvDCP93EoVQTp8pGiCvaaDcXOCUu
kkfRLqj244T38XNCwpSllXJQiGa9nLckFAnhWhfu2vwr3xm9e5dVzZs70QMym6wz
v9w+WhLZHNsuKmxfzxZxPeduRrLz4hzCp3eTBqMBNKmsl5XmUAVYkwew2rQSONUa
5AOqvICyHdC1UjU+qO8mFlv51rCtSxpukmeFYtYJXgChiy0zM5I=
=kERO
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3664-1] symfony security update
Next by Date: [SECURITY] [DLA 3665-1] node-json5 security update
Previous by thread: [SECURITY] [DLA 3664-1] symfony security update
Next by thread: [SECURITY] [DLA 3665-1] node-json5 security update
Index(es):
- Date
- Thread