Your message dated Tue, 23 Jul 2019 21:34:40 +0000
with message-id <[email protected]>
and subject line Bug#932754: fixed in libsdl2-image 2.0.5+dfsg1-1
has caused the Debian Bug report #932754,
regarding libsdl2-image: multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
932754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932754
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsdl2-image
Version: 2.0.4+dfsg1-1
Severity: important
Tags: security upstream
Hi,
the following security issues[0] were published for libsdl2-image:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Fixing these issues:
Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").
I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.
If the security team agrees, I will provide targeted fixes for buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: libsdl2-image
Source-Version: 2.0.5+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
libsdl2-image, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <[email protected]> (supplier of updated libsdl2-image package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Jul 2019 23:15:23 +0200
Source: libsdl2-image
Architecture: source
Version: 2.0.5+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian SDL packages maintainers
<[email protected]>
Changed-By: Felix Geyer <[email protected]>
Closes: 932754
Changes:
libsdl2-image (2.0.5+dfsg1-1) unstable; urgency=medium
.
* New upstream version, fixing various security issues: (Closes: #932754)
- CVE-2019-5051
- CVE-2019-5052
- CVE-2019-7635
- CVE-2019-12216
- CVE-2019-12217
- CVE-2019-12218
- CVE-2019-12219
- CVE-2019-12220
- CVE-2019-12221
- CVE-2019-12222
* Switch to debhelper compat level 12.
Checksums-Sha1:
2f0557829c2a5a35ab2486f7506e9d5743a3e31d 2246 libsdl2-image_2.0.5+dfsg1-1.dsc
710214052344d319de9d40a0aa9f0e6545e6d7df 311924
libsdl2-image_2.0.5+dfsg1.orig.tar.xz
0ef7a629bb4371c666641095af5254a1d6dc2a19 7528
libsdl2-image_2.0.5+dfsg1-1.debian.tar.xz
Checksums-Sha256:
5cb0fbba3e36c026b9ab03f5e224b3a65f1f8132100a2ec37862e2ed359fbfc7 2246
libsdl2-image_2.0.5+dfsg1-1.dsc
d390baf1cf80c5e006a6bf06c582ab25eea44ecb07ecb38175ef7f59c71035eb 311924
libsdl2-image_2.0.5+dfsg1.orig.tar.xz
284497c3ffc60c5dd6e10fec442690012f0ee5dc76bf5a5c0742f704b7c861a9 7528
libsdl2-image_2.0.5+dfsg1-1.debian.tar.xz
Files:
91ceb07cad291b85a99fbfd1ebc4f576 2246 libs optional
libsdl2-image_2.0.5+dfsg1-1.dsc
10c81baa2c910286e168c9597650da0e 311924 libs optional
libsdl2-image_2.0.5+dfsg1.orig.tar.xz
07e262d6e5784e4da00efc15c9cf8eb2 7528 libs optional
libsdl2-image_2.0.5+dfsg1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAl03eZAACgkQ/iLG/YMT
XUU0yg//STc6whlScbO/VARO0H2FlFTjo4M1DQQLzl0J2KwKD4luIQz0iDqKRAHk
tWBQE0U/HPH/RT+ZJEG/mL4gbPfL31FHR0kte4plWBk53k+Wf5xsK8kWkq+ypCDF
8l3tIyuRfrj8QRIrf7z0iW2kAgtvI/JFuCL6vp8dqeeT/5avxhfUpgRdCReLrCKs
LrN9ZeMv/4yQMrdLkLR35Z4G7oWsPkGjLoc5F00QJvk2iEArMsHeCsNjLZJvHgmj
c1PxISQykpmexwTWpXh/qgb1dY6D6qheT8eOuqaWbit9X9UO8Pp4tEVyndPq78dI
I+VhKwS3X1Mz5a8M7AzMcS6f+64pUHI8t5C6OXXjeOg6bXuOa3Mwjltrw7GYx6lu
P7+8xK7LX9iweUMUME/1JYvmBkgnW5W3IOlPIkAgNPkb/tvXZkhPy3uIvlx0XYgM
d8UtxzEBEhph8lrTmAk8UTIQgEfxfbMFvAT3RO4m+EQkLLpiAbEC6TnFUb5x+jVT
tEFkLqSUNFOPTuaYpr6NlQJ8cJABrH1rRwB6W60Cao5cdhdK9YOLEGJulHY4y55K
+x8Eiq4iMn8DUTVJac78NP0gYagwDdLW/NYKT191NOiT6SAgn5zEjEOnl7cmWl6X
HPsUalu7c9vsWYNkAxfATa+6xS2DU6XewWzshZi01oF421tAvGo=
=yCqN
-----END PGP SIGNATURE-----
--- End Message ---
