Bug#932754: marked as done (libsdl2-image: multiple security issues)

Debian Bug Tracking System Tue, 30 Jul 2019 14:09:24 -0700

Your message dated Tue, 30 Jul 2019 21:06:00 +0000
with message-id <[email protected]>
and subject line Bug#932754: fixed in libsdl2-image 2.0.1+dfsg-2+deb9u2
has caused the Debian Bug report #932754,
regarding libsdl2-image: multiple security issues
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
932754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932754
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: libsdl2-image
Version: 2.0.4+dfsg1-1
Severity: important
Tags: security upstream

Hi,

the following security issues[0] were published for libsdl2-image:

* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.

* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.

* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).

* CVE-2019-12216, CVE-2019-12217,
  CVE-2019-12218, CVE-2019-12219,
  CVE-2019-12220, CVE-2019-12221,
  CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).

Fixing these issues:

Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").

I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.

If the security team agrees, I will provide targeted fixes for buster and
stretch.

For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: libsdl2-image
Source-Version: 2.0.1+dfsg-2+deb9u2

We believe that the bug you reported is fixed in the latest version of
libsdl2-image, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugo Lefeuvre <[email protected]> (supplier of updated libsdl2-image package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jul 2019 13:19:47 -0300
Source: libsdl2-image
Binary: libsdl2-image-2.0-0 libsdl2-image-dbg libsdl2-image-dev
Architecture: source amd64
Version: 2.0.1+dfsg-2+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Debian SDL packages maintainers 
<[email protected]>
Changed-By: Hugo Lefeuvre <[email protected]>
Description:
 libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, 
libraries
 libsdl2-image-dbg - Image loading library for Simple DirectMedia Layer 2, 
debugging s
 libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, 
development
Closes: 932754
Changes:
 libsdl2-image (2.0.1+dfsg-2+deb9u2) stretch; urgency=medium
 .
   * Non-maintainer upload.
   * Multiple security issues (Closes: #932754):
     - CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
     - CVE-2019-5052: integer overflow and subsequent buffer overflow in
       IMG_pcx.c.
     - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
     - CVE-2019-12216, CVE-2019-12217,
       CVE-2019-12218, CVE-2019-12219,
       CVE-2019-12220, CVE-2019-12221,
       CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Checksums-Sha1:
 e71b662d56139854f26ace32ea8717f86af37711 2218 
libsdl2-image_2.0.1+dfsg-2+deb9u2.dsc
 a03ea2d15632d77b487dd60f408d76fa4c1879bc 9956 
libsdl2-image_2.0.1+dfsg-2+deb9u2.debian.tar.xz
 2702c2a07a13ac6d4d7b4c79813cdab7982ccba0 39686 
libsdl2-image-2.0-0_2.0.1+dfsg-2+deb9u2_amd64.deb
 51a339f1fd65882df61bd5cdd128bb942c3d1a93 93072 
libsdl2-image-dbg_2.0.1+dfsg-2+deb9u2_amd64.deb
 487997aa1a3bd890e6b3c4c3955a7f125d3e54a0 44582 
libsdl2-image-dev_2.0.1+dfsg-2+deb9u2_amd64.deb
 ebcea5f005876edc5d4bee6992e6d7be7abe3627 11614 
libsdl2-image_2.0.1+dfsg-2+deb9u2_amd64.buildinfo
Checksums-Sha256:
 0e76f5dbb614248676c0a2201e267cf7830c7935bc100c0b2efbf8e8a81f8d95 2218 
libsdl2-image_2.0.1+dfsg-2+deb9u2.dsc
 7d205e0b4268d7795cd62b232ecd817298fc861c05e3dc13b680c4fd4b3538d0 9956 
libsdl2-image_2.0.1+dfsg-2+deb9u2.debian.tar.xz
 4fb1943a4eaa1661a2e3ce437d721a9b78f5faa6a810aa24e63cf5071d054822 39686 
libsdl2-image-2.0-0_2.0.1+dfsg-2+deb9u2_amd64.deb
 40958d47163ae1ca83f0e2af88d7ae9d331b60b18dd92db154d4f43d66d8345c 93072 
libsdl2-image-dbg_2.0.1+dfsg-2+deb9u2_amd64.deb
 8a9f0abefcd0121bbbacc41dfa984ecde24d2f580a37270f290ae768f1ee11b5 44582 
libsdl2-image-dev_2.0.1+dfsg-2+deb9u2_amd64.deb
 d622f1f78eef8bf3afd138c5d8977e803cf62823a7cdc77e7fa981d3cabd44c0 11614 
libsdl2-image_2.0.1+dfsg-2+deb9u2_amd64.buildinfo
Files:
 cd8a0b53c64edaa44491e67f4b1708d8 2218 libs optional 
libsdl2-image_2.0.1+dfsg-2+deb9u2.dsc
 97022c1c4d9075d546474962f997e582 9956 libs optional 
libsdl2-image_2.0.1+dfsg-2+deb9u2.debian.tar.xz
 47cc959dfb31476812acc8e93f4bfa1b 39686 libs optional 
libsdl2-image-2.0-0_2.0.1+dfsg-2+deb9u2_amd64.deb
 331f8c988360f86b33d3d73269e2f53c 93072 debug extra 
libsdl2-image-dbg_2.0.1+dfsg-2+deb9u2_amd64.deb
 772d5fd3c2038c1c84679b2084a2b325 44582 libdevel optional 
libsdl2-image-dev_2.0.1+dfsg-2+deb9u2_amd64.deb
 10b2967ddf869aef5ee0678a21579936 11614 libs optional 
libsdl2-image_2.0.1+dfsg-2+deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQHDBAEBCgAtFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl08xOgPHGhsZUBkZWJp
YW4ub3JnAAoJEBHjBY5eRBpC++8L/jsE6+Yx2T391x2vyKtQkdsRwUBDgKPkZAZM
rosU3COkJho0NMHT0XAmvctCDAV7ZrsOdnqE9ZUKRvfluOeyfwM7t446bOIOz5cM
8nTR2S4Sq0jkZj+plYuJbvj6THfzLFDZfhu+3Oj2qRd3DGitXKJh6NWnMtGr1H9Z
X9yeRrRJgLf5iD8ceD5cscqIkyAz4STy+mxDRSE4iDug1ezsAKz6e2oojJeT4OM5
XDPk9ZCg/HxvCazetYYD6AhO6qbrQ7IPg9gTMF393FVUxks3owzJr/2GiyVUJGQ/
1nTYMxycPjXYDHyLZuA2E7Y7KvHKaxss839qzJAcxgm+pSaaAZxdGmeo/6zPzl4H
EjdENXb/nbbGPzWpU9gzxQDg7UG2MejugEr1XoNe011CcfLPvlBEzWCjDlfvbLUQ
ebjElYG4vpfsKvTdHK9rOQOSo9NdF3M45lUU+L+tDCjG1VYhR2rMGHGwmFmivwMu
JdvzMIT34qpK3yG9Uf1FzKQmN37qVw==
=FkhZ
-----END PGP SIGNATURE-----

--- End Message ---

Bug#932754: marked as done (libsdl2-image: multiple security issues)

Reply via email to