Alien::FreeImage Vulnerable Libraries Leading to Multiple Security Issues

Alien::FreeImage versions through 1.001 for Perl include several libraries with known vulnerabilities. Notably, it contains FreeImage library version 3.17.0, which has vulnerabilities such as integer underflows allowing heap memory corruption (CVE-2015-0852) and an integer overflow in the PSD parser causing a denial-of-service (CVE-2025-65803). Additionally, FreeImage 3.17.0 and earlier has multiple integer underflows that can be exploited to cause heap memory corruption, particularly through vectors related to image dimensions.

Impact

The vulnerabilities in FreeImage 3.17.0 and earlier versions allow for heap memory corruption, which can be exploited to cause a denial-of-service condition by crashing the application or potentially leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using Alien::FreeImage 1.001 or earlier, which includes FreeImage 3.17.0. After installing this version, the known vulnerable libraries can be exploited. For CVE-2015-0852, the exploitation involves causing an integer underflow by manipulating image width and height values, which FreeImage processes. This can be done by creating a crafted image file that exploits these dimensions. For CVE-2025-65803, the vulnerability is triggered by supplying a crafted PSD file to an application that uses FreeImage for image processing.