Bug#924610: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2

[Moritz Mühlenhoff]

On Mon, Apr 29, 2019 at 04:56:27PM +0200, Felix Geyer wrote:
> Hi,
> 
> On 24.04.19 21:33, Salvatore Bonaccorso wrote:
> > Hi Kari,
> > 
> > On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:
> > > Hi.
> > > 
> > > I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
> > First thanks for working on the issues!
> > 
> > I have not reviewed your patches, but just a remark. Never just
> > forward-port a patchset from an older suite to newer (although the
> > version is identical here).
> > 
> > Furthermore as Moritz pointed out, at time of writing the bugreport,
> > only some of the bugs got patches, but not all were merged upstream,
> > several of the CVEs got later on upstream patches rather then
> > previously linked ones from the bugzilla.  We should base the upload
> > based on the current upstream patches which by now should be complete
> > (but double check the updated references in the security-tracker).
> 
> 
> Unfortunately there are still some bug reports without merged fixes.
> I've kept the Debian security tracker up-to-date in this regard
> (the CVEs with committed patches have a link to them).

For sdl-image1.2 we can already go ahead with an unstable upload, right?
The only issue affecting it, was merged.

Cheers,
Moritz

Bug#924609: Bug#924610: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2

[Felix Geyer]

Hi,

On 24.04.19 21:33, Salvatore Bonaccorso wrote:

Hi Kari,

On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:

Hi.

I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.

First thanks for working on the issues!

I have not reviewed your patches, but just a remark. Never just
forward-port a patchset from an older suite to newer (although the
version is identical here).

Furthermore as Moritz pointed out, at time of writing the bugreport,
only some of the bugs got patches, but not all were merged upstream,
several of the CVEs got later on upstream patches rather then
previously linked ones from the bugzilla.  We should base the upload
based on the current upstream patches which by now should be complete
(but double check the updated references in the security-tracker).



Unfortunately there are still some bug reports without merged fixes.
I've kept the Debian security tracker up-to-date in this regard
(the CVEs with committed patches have a link to them).

Felix

Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2

[Salvatore Bonaccorso]

Hi Kari,

On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:
> Hi.
> 
> I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.

First thanks for working on the issues!

I have not reviewed your patches, but just a remark. Never just
forward-port a patchset from an older suite to newer (although the
version is identical here).

Furthermore as Moritz pointed out, at time of writing the bugreport,
only some of the bugs got patches, but not all were merged upstream,
several of the CVEs got later on upstream patches rather then
previously linked ones from the bugzilla.  We should base the upload
based on the current upstream patches which by now should be complete
(but double check the updated references in the security-tracker).

Regards,
Salvatore

Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2

[Kari Pahula]

Hi.

I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
>From 3aa83f5059f9e8203177350101ab43415b901f93 Mon Sep 17 00:00:00 2001
From: Kari Pahula 
Date: Wed, 24 Apr 2019 16:51:03 +0300
Subject: [PATCH] Port patches from Debian LTS release for CVE bugs.

Fixes for CVE-2019-7572, CVE-2019-7573, CVE-2019-7574,
CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578,
CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638.
---
 debian/patches/CVE-2019-7572_CVE-2019-7574.patch | 105 
 debian/patches/CVE-2019-7573.patch   |  66 
 debian/patches/CVE-2019-7575_7577.patch  |  78 +
 debian/patches/CVE-2019-7577-1_2.patch   |  32 
 debian/patches/CVE-2019-7578.patch   |  53 ++
 debian/patches/CVE-2019-7635_636_638.patch   |  81 +
 debian/patches/CVE-2019-7637.patch   | 207 +++
 debian/patches/series|   8 +
 8 files changed, 630 insertions(+)
 create mode 100644 debian/patches/CVE-2019-7572_CVE-2019-7574.patch
 create mode 100644 debian/patches/CVE-2019-7573.patch
 create mode 100644 debian/patches/CVE-2019-7575_7577.patch
 create mode 100644 debian/patches/CVE-2019-7577-1_2.patch
 create mode 100644 debian/patches/CVE-2019-7578.patch
 create mode 100644 debian/patches/CVE-2019-7635_636_638.patch
 create mode 100644 debian/patches/CVE-2019-7637.patch

diff --git a/debian/patches/CVE-2019-7572_CVE-2019-7574.patch b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
new file mode 100644
index 000..c1ecdb9
--- /dev/null
+++ b/debian/patches/CVE-2019-7572_CVE-2019-7574.patch
@@ -0,0 +1,105 @@
+Description: CVE-2019-7572, CVE-2019-7574
+ CVE-2019-7572: a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
+ CVE-2019-7574: a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.
+
+---
+Author: Abhijith PA 
+Origin: https://bugzilla-attachments.libsdl.org/attachment.cgi?id=3610
+https://bugzilla.libsdl.org/attachment.cgi?id=3612
+https://bugzilla.libsdl.org/attachment.cgi?id=3618
+Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+ https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+Last-Update: <2018-03-05>
+
+Index: libsdl1.2-1.2.15/src/audio/SDL_wave.c
+===
+--- libsdl1.2-1.2.15.orig/src/audio/SDL_wave.c
 libsdl1.2-1.2.15/src/audio/SDL_wave.c
+@@ -264,6 +264,14 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ 	};
+ 	Sint32 delta, step;
+ 
++	/* Clamp index value. The inital value can be invalid. */
++	if ( state->index > 88 ) {
++		state->index = 88;
++	} else
++	if ( state->index < 0 ) {
++		state->index = 0;
++	}
++
+ 	/* Compute difference and new sample value */
+ 	step = step_table[state->index];
+ 	delta = step >> 3;
+@@ -275,12 +283,6 @@ static Sint32 IMA_ADPCM_nibble(struct IM
+ 
+ 	/* Update index value */
+ 	state->index += index_table[nybble];
+-	if ( state->index > 88 ) {
+-		state->index = 88;
+-	} else
+-	if ( state->index < 0 ) {
+-		state->index = 0;
+-	}
+ 
+ 	/* Clamp output sample */
+ 	if ( state->sample > max_audioval ) {
+@@ -323,7 +325,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -339,6 +341,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ 	/* Allocate the proper sized output buffer */
+ 	encoded_len = *audio_len;
+ 	encoded = *audio_buf;
++	encoded_end = encoded + encoded_len;
+ 	freeable = *audio_buf;
+ 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+ IMA_ADPCM_state.wSamplesPerBlock*
+@@ -349,11 +352,13 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
++	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+ 		for ( c=0; c encoded_end) goto invalid_size;
+ 			/* Fill the state information for this block */
+ 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ 			encoded += 2;
+@@ -367,6 +372,7 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ 			}
+ 
+ 			/* Store the initial sample we start with */
++			if (decoded + 2 > decoded_end) goto invalid_size;
+ 			decoded[0] = (Uint8)(state[c].sample&0xFF);
+ 			decoded[1] = (Uint8)(state[c].sample>>8);
+ 			decoded += 2;
+@@ -376,6 +382,9 @@ static int IMA_ADPCM_decode(Uint8 **audi
+ 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c encoded_end) goto invalid_size;
++if (decoded + 4 * 4 * channels > decoded_end)
++  goto invalid_size;
+ Fill_IMA_ADPCM_block(decoded, encoded,
+ 		c,