CVE-2023-47997: 
Homebrew vulnerability analysis and mitigation

An infinite loop vulnerability was discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in FreeImage 3.18.0. The vulnerability was disclosed on January 9, 2024, and affects the FreeImage library, which is a multi-format image processing library (NVD, MITRE).

The vulnerability exists in the Load function within PluginTIFF.cpp. When Bpc (bytes per pixel) equals 0, the function enters an infinite loop condition because src_bits += Bpc does not change the value of src_bits, causing the loop condition src_bits < src_line_end to remain perpetually true. The issue occurs in the Release version where assert statements are effectively ignored (GitHub POC). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows attackers to cause a denial of service condition by triggering an infinite loop in the image processing functionality. This can lead to system resource exhaustion and affect the availability of services using the FreeImage library (NVD).

Fedora has released security updates to address this vulnerability in versions 38, 39, and 40 of the freeimage package. Users are advised to upgrade to version 3.19.0-0.23.svn1909 which includes patches for CVE-2023-47997 (Fedora Update).