Bug#932754: marked as done (libsdl2-image: multiple security issues)

Debian Bug Tracking System Wed, 21 Aug 2019 14:36:54 -0700

Your message dated Wed, 21 Aug 2019 21:32:11 +0000
with message-id <[email protected]>
and subject line Bug#932754: fixed in libsdl2-image 2.0.4+dfsg1-1+deb10u1
has caused the Debian Bug report #932754,
regarding libsdl2-image: multiple security issues
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
932754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932754
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: libsdl2-image
Version: 2.0.4+dfsg1-1
Severity: important
Tags: security upstream

Hi,

the following security issues[0] were published for libsdl2-image:

* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.

* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.

* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).

* CVE-2019-12216, CVE-2019-12217,
  CVE-2019-12218, CVE-2019-12219,
  CVE-2019-12220, CVE-2019-12221,
  CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).

Fixing these issues:

Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").

I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.

If the security team agrees, I will provide targeted fixes for buster and
stretch.

For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: libsdl2-image
Source-Version: 2.0.4+dfsg1-1+deb10u1

We believe that the bug you reported is fixed in the latest version of
libsdl2-image, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugo Lefeuvre <[email protected]> (supplier of updated libsdl2-image package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 26 Jul 2019 17:01:14 -0300
Source: libsdl2-image
Binary: libsdl2-image-2.0-0 libsdl2-image-2.0-0-dbgsym libsdl2-image-dev
Architecture: source amd64
Version: 2.0.4+dfsg1-1+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian SDL packages maintainers 
<[email protected]>
Changed-By: Hugo Lefeuvre <[email protected]>
Description:
 libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, 
libraries
 libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, 
development
Closes: 932754
Changes:
 libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
 .
   * Non-maintainer upload.
   * Multiple security issues (Closes: #932754):
     - CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c).
     - CVE-2019-5052: integer overflow and subsequent buffer overflow in
       IMG_pcx.c.
     - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
     - CVE-2019-12216, CVE-2019-12217,
       CVE-2019-12218, CVE-2019-12219,
       CVE-2019-12220, CVE-2019-12221,
       CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Checksums-Sha1:
 2146faafb7dcdfa9564c9b61559919aacdc7824b 2099 
libsdl2-image_2.0.4+dfsg1-1+deb10u1.dsc
 cca6b13086e3c3319b737fe30bf5bb6312f8ae5c 9936 
libsdl2-image_2.0.4+dfsg1-1+deb10u1.debian.tar.xz
 96c579b82e688e7b8bd049bb175c696e915551a8 192596 
libsdl2-image-2.0-0-dbgsym_2.0.4+dfsg1-1+deb10u1_amd64.deb
 155a9cd73928f70da8ebabba6993e0f35ee589e8 66524 
libsdl2-image-2.0-0_2.0.4+dfsg1-1+deb10u1_amd64.deb
 dca6d517bde5d0b97c20fe8417baf5d5b3fe1d3e 73528 
libsdl2-image-dev_2.0.4+dfsg1-1+deb10u1_amd64.deb
 ece582f7bc9fb9f0f8c621585ba3033a2431ecd8 11370 
libsdl2-image_2.0.4+dfsg1-1+deb10u1_amd64.buildinfo
Checksums-Sha256:
 70b8151cd26e2da253885c0d1e6fee71f840e07eb662f5ba5dfff408cf2ae7b3 2099 
libsdl2-image_2.0.4+dfsg1-1+deb10u1.dsc
 b9c698a28d109fe04d6ff7bb559854c55e0486697bc885de426a12aebff8f48f 9936 
libsdl2-image_2.0.4+dfsg1-1+deb10u1.debian.tar.xz
 e872005edf3c35f941106d44539593abaa4235f0fc81bb50607eb8ee712122a8 192596 
libsdl2-image-2.0-0-dbgsym_2.0.4+dfsg1-1+deb10u1_amd64.deb
 30810abaca2f1c513bd8f716d47d46fd3bdb44020d082502124688e24304369c 66524 
libsdl2-image-2.0-0_2.0.4+dfsg1-1+deb10u1_amd64.deb
 15c988961e6295a9d7da3de1f74f7b7b840a27b1a65ecf618a63347c44e96569 73528 
libsdl2-image-dev_2.0.4+dfsg1-1+deb10u1_amd64.deb
 f8be8a3515798ac233c91615fce2e7e7d6bb719c4e5a944bb2679ddb8fecf120 11370 
libsdl2-image_2.0.4+dfsg1-1+deb10u1_amd64.buildinfo
Files:
 0c7d3d3bedd6d93d37c577b16509c136 2099 libs optional 
libsdl2-image_2.0.4+dfsg1-1+deb10u1.dsc
 8732a7b54326f52e9462b63f3c1d4185 9936 libs optional 
libsdl2-image_2.0.4+dfsg1-1+deb10u1.debian.tar.xz
 99ace8dd3a8de404d5f043bbd6a43de6 192596 debug optional 
libsdl2-image-2.0-0-dbgsym_2.0.4+dfsg1-1+deb10u1_amd64.deb
 dcb9253620b9e9d18b76e4f0270bc982 66524 libs optional 
libsdl2-image-2.0-0_2.0.4+dfsg1-1+deb10u1_amd64.deb
 8a36160c7873f99579e0bc92a03a0d83 73528 libdevel optional 
libsdl2-image-dev_2.0.4+dfsg1-1+deb10u1_amd64.deb
 1acbbcb4dca0874072c39d0618accd38 11370 libs optional 
libsdl2-image_2.0.4+dfsg1-1+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1c6iYACgkQEeMFjl5E
GkIW9AwAjbEqor/UfJIBm8gQYXEBH/bVp+bCDFPUDTBev7Ym87UwZ0GRkPBQE/s/
H53F9yV2+3mlxYhAt08CLDu6k61FR8GkTR8sHU9Ymvp+tL2qYrkBa9DotU7HWikg
M7dA57OsmRg2U+Qef7ZTJCbHlq3wZcucgQmaXCaI1Xke2DbKByvyhjkvk288SfoR
OA88+OUZrjcACBecJoa2Tfd110o+RkIU8zb4Lz9x9rMpWWXDXyld4XJUnC1d2kNZ
aAjiuIsQ/SfftRZejw4803CyTY9XiYEXY58ooWweDvcNh4CliU1Wutnxw64YTTIv
X3WPSqKxlyhB9MIyp+eMRa7Y+WdqJ2esFMxstkNHa6eHYXFbfCe1811SSE3HF5KJ
PDLip3gJy2k3guvVPXPEGhlzzUfgRAibTCqg0oVVKGo7BXzS3d9ecDYXqRaXsOmR
D0DTnPAcdRivzjr+kArp6i0RGzU7HSlVA26hwQptSA9YKuTOv5rhYgFhBeWCcIUf
Qw6AS0N8
=HorL
-----END PGP SIGNATURE-----

--- End Message ---

Bug#932754: marked as done (libsdl2-image: multiple security issues)

Reply via email to