Small update: I forgot to close the bug report (#932755) and did not mention CVE-2019-5058 in debian/changelog. You can find an updated debdiff in attachment.
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog --- sdl-image1.2-1.2.12/debian/changelog 2018-04-15 11:54:38.000000000 -0400 +++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:28:17.000000000 -0400 @@ -1,3 +1,17 @@ +sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium + + * Non-maintainer upload. + * CVE-2018-3977, CVE-2019-5058: buffer overflow in do_layer_surface + (IMG_xcf.c) (Closes: #932755). + * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. + * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). + * CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre <h...@debian.org> Thu, 29 Aug 2019 08:28:17 -0400 + sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high * Backport various security fixes: diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:26:26.000000000 -0400 @@ -0,0 +1,19 @@ +Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file. + This patch bundles two fixes, the original one for CVE-2018-3977 + (TALOS-2018-0645) which is actually broken, and the followup patch + (TALOS-2019-0842). +Author: Ryan C. Gordon <iccu...@icculus.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 + https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 +--- a/IMG_xcf.c 2019-07-23 11:56:35.733259428 -0300 ++++ b/IMG_xcf.c 2019-07-23 11:57:55.036947079 -0300 +@@ -634,6 +634,9 @@ + p16 = (Uint16 *) p8; + p = (Uint32 *) p8; + for (y=ty; y < ty+oy; y++) { ++ if ((y >= surface->h) || ((tx+ox) > surface->w)) { ++ break; ++ } + row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); + switch (hierarchy->bpp) { + case 4: diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:26:26.000000000 -0400 @@ -0,0 +1,83 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300 +@@ -100,6 +100,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++ int count = 0; ++ Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -148,14 +150,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++ goto done; + } +- buf = calloc(SDL_max(bpl, surface->pitch), 1); ++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ +- int i, count = 0; +- Uint8 ch; +- Uint8 *dst = (src_bits == 8) ? row : buf; ++ int i; ++ Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -168,14 +170,15 @@ + error = "file truncated"; + goto done; + } +- if( (ch & 0xc0) == 0xc0) { +- count = ch & 0x3f; ++ if( ch < 0xc0) { ++ count = 1; ++ } else { ++ count = ch - 0xc0; + if(!SDL_RWread(src, &ch, 1, 1)) { + error = "file truncated"; + goto done; + } +- } else +- count = 1; ++ } + } + dst[i] = ch; + count--; +@@ -207,10 +210,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++ if ( dst >= row+surface->pitch ) { ++ error = "decoding out of bounds (corrupt?)"; ++ goto done; ++ } + *dst = *src++; + dst += pcxh.NPlanes; + } + } ++ } else { ++ SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -227,8 +236,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, &ch, 1, 1)) { +- error = "file truncated"; +- goto done; ++ /* Couldn't find the palette, try the end of the file */ ++ SDL_RWseek(src, -768, RW_SEEK_END); ++ break; + } + } while ( ch != 12 ); + diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 2019-08-29 08:26:26.000000000 -0400 @@ -0,0 +1,15 @@ +Description: fix invalid data read on bpl == -1 + Issue known as TALOS-2019-0821, or CVE-2019-5052. +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 +--- a/IMG_pcx.c 2019-07-23 11:55:37.921487131 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:55:46.429453620 -0300 +@@ -148,7 +148,7 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl > surface->pitch) { ++ if (bpl < 0 || bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; + goto done; + } diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 2019-08-29 08:26:26.000000000 -0400 @@ -0,0 +1,65 @@ +Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 +--- a/IMG_bmp.c 2019-07-23 11:59:17.032624113 -0300 ++++ b/IMG_bmp.c 2019-07-23 12:01:39.804061761 -0300 +@@ -292,6 +292,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ IMG_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -444,7 +452,12 @@ + goto done; + } + } +- *(bits+i) = (pixel>>shift); ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + pixel <<= ExpandBMP; + } } + break; +@@ -456,6 +469,15 @@ + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +@@ -650,6 +672,14 @@ + Bmask = 0x000000FF; + ExpandBMP = 0; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + IMG_SetError("ICO file with unsupported bit count"); + was_error = SDL_TRUE; diff -Nru sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch --- sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 2019-08-29 08:26:26.000000000 -0400 @@ -0,0 +1,71 @@ +Description: fix multiple OOB issues in IMG_pcx.c + This patches addresses following issues: CVE-2019-12222, CVE-2019-12221, + CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217. +Author: Sam Lantinga <slou...@libsdl.org>, Hugo Lefeuvre <h...@debian.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 +--- a/IMG_pcx.c 2019-07-23 11:56:00.765397153 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:51:23.082490857 -0300 +@@ -148,18 +148,17 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl < 0 || bpl > surface->pitch) { +- error = "bytes per line is too large (corrupt?)"; ++ buf = (Uint8 *)SDL_calloc(bpl, 1); ++ if ( !buf ) { ++ error = "Out of memory"; + goto done; + } +- buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ + int i; +- Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { +- if(!SDL_RWread(src, dst, bpl, 1)) { ++ if(!SDL_RWread(src, buf, bpl, 1)) { + error = "file truncated"; + goto done; + } +@@ -180,7 +179,7 @@ + } + } + } +- dst[i] = ch; ++ buf[i] = ch; + count--; + } + } +@@ -202,13 +201,21 @@ + } + } + } ++ } else if ( src_bits == 8 ) { ++ /* directly copy buf content to row */ ++ Uint8 *innerSrc = buf; ++ int x; ++ Uint8 *dst = row; ++ for ( x = 0; x < width; x++ ) { ++ *dst++ = *innerSrc++; ++ } + } else if(src_bits == 24) { + /* de-interlace planes */ + Uint8 *src = buf; + int plane; + for(plane = 0; plane < pcxh.NPlanes; plane++) { + int x; +- dst = row + plane; ++ Uint8 *dst = row + plane; + for(x = 0; x < width; x++) { + if ( dst >= row+surface->pitch ) { + error = "decoding out of bounds (corrupt?)"; +@@ -218,8 +225,6 @@ + dst += pcxh.NPlanes; + } + } +- } else { +- SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; diff -Nru sdl-image1.2-1.2.12/debian/patches/series sdl-image1.2-1.2.12/debian/patches/series --- sdl-image1.2-1.2.12/debian/patches/series 2018-04-13 11:15:39.000000000 -0400 +++ sdl-image1.2-1.2.12/debian/patches/series 2019-08-29 08:26:26.000000000 -0400 @@ -9,3 +9,8 @@ CVE-2018-3837.patch CVE-2018-3838.patch CVE-2018-3839.patch +CVE-2019-12218.patch +CVE-2019-5052.patch +IMG_pcx-out-of-bounds.patch +CVE-2018-3977.patch +CVE-2019-7635.patch
signature.asc
Description: PGP signature
