Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Control: tags -1 + confirmed On Thu, 2019-08-08 at 21:33 +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > > Done! You can find an updated debdiff for buster in attachement. > > > The new > > > debdiff ships CVE-2019-5058.patch which addresses the remaining > > > issue in > > > IMG_xcf.c. > > > > Is the attachment missing? > > Right, attachment is missing! Better now :) > Please go ahead; thanks. Regards, Adam
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Salvatore, > > Done! You can find an updated debdiff for buster in attachement. The new > > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in > > IMG_xcf.c. > > Is the attachment missing? Right, attachment is missing! Better now :) regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog --- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 11:59:26.0 +0100 +++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 22:01:14.0 +0200 @@ -1,3 +1,18 @@ +libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Multiple security issues (Closes: #932754): +- CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c). +- CVE-2019-5052: integer overflow and subsequent buffer overflow in + IMG_pcx.c. +- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). +- CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre Fri, 26 Jul 2019 17:01:14 -0300 + libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium * New upstream version. diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1970-01-01 01:00:00.0 +0100 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 22:01:14.0 +0200 @@ -0,0 +1,84 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300 b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300 +@@ -98,6 +98,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++int count = 0; ++Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -146,14 +148,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++goto done; + } +-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1); ++buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = (Uint8 *)surface->pixels; + for ( y=0; yh; ++y ) { + /* decode a scan line to a temporary buffer first */ +-int i, count = 0; +-Uint8 ch; +-Uint8 *dst = (src_bits == 8) ? row : buf; ++int i; ++Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -166,14 +168,15 @@ + error = "file truncated"; + goto done; + } +-if( (ch & 0xc0) == 0xc0) { +-count = ch & 0x3f; +-if(!SDL_RWread(src, , 1, 1)) { ++if ( ch < 0xc0 ) { ++count = 1; ++} else { ++count = ch - 0xc0; ++if( !SDL_RWread(src, , 1, 1)) { + error = "file truncated"; + goto done; + } +-} else +-count = 1; ++} + } + dst[i] = ch; + count--; +@@ -205,10 +208,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++if ( dst >= row+surface->pitch ) { ++error = "decoding out of bounds (corrupt?)"; ++goto done; ++} + *dst = *innerSrc++; + dst += pcxh.NPlanes; + } + } ++} else { ++SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -225,8 +234,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, , 1, 1)) { +-error = "file truncated"; +-goto done; ++/* Couldn't find the palette, try the end of the file */ ++SDL_RWseek(src, -768, RW_SEEK_END); ++break; + } + } while ( ch != 12 ); + diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch ---
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Hugo, On Thu, Aug 08, 2019 at 03:21:31PM +0200, Hugo Lefeuvre wrote: > Hi, > > > > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > > > that the initial patch was broken (see stretch patch descriptions), I > > > failed to handle this properly in the buster version. > > > > > > As far as I remember, I did not upload this diff yet. I'll just provide an > > > updated version asap. I will also update the testing NMU[2], which I > > > fortunately did not upload yet. > > > > Perfect, thank you for that! > > Done! You can find an updated debdiff for buster in attachement. The new > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in > IMG_xcf.c. Is the attachment missing? Regards, Salvatore
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi, > > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > > that the initial patch was broken (see stretch patch descriptions), I > > failed to handle this properly in the buster version. > > > > As far as I remember, I did not upload this diff yet. I'll just provide an > > updated version asap. I will also update the testing NMU[2], which I > > fortunately did not upload yet. > > Perfect, thank you for that! Done! You can find an updated debdiff for buster in attachement. The new debdiff ships CVE-2019-5058.patch which addresses the remaining issue in IMG_xcf.c. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Hugo, On Mon, Aug 05, 2019 at 08:28:00AM +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > Maybe I'm missing something but but please double check. Can it be > > that the stretch-pu upload contains the fix > > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 > > but the buster-pu one missed it? (Note this has a new CVE assigned > > CVE-2019-5058, the change afaics is included in your stretch-pu > > debdiff, is this right? but not in the buster-pu one?) > > Thanks for catching this. The situation is quite messy, so I will try to > summarize it in a few words. > > CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This > vulnerabilitity was "fixed" via [0], however the fix is broken (the check > should be done for y, not ty). Talos decided to report the remaining issue > as a separate vulnerability, TALOS-2019-0842, which was recently assigned > CVE-2019-5058. It was fixed via [1]. > > CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just > CVE-2018-3977 which wasn't fixed properly. Ack, thanks for summarizing the situation. > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > that the initial patch was broken (see stretch patch descriptions), I > failed to handle this properly in the buster version. > > As far as I remember, I did not upload this diff yet. I'll just provide an > updated version asap. I will also update the testing NMU[2], which I > fortunately did not upload yet. Perfect, thank you for that! Regards, Salvatore
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Salvatore, > Maybe I'm missing something but but please double check. Can it be > that the stretch-pu upload contains the fix > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 > but the buster-pu one missed it? (Note this has a new CVE assigned > CVE-2019-5058, the change afaics is included in your stretch-pu > debdiff, is this right? but not in the buster-pu one?) Thanks for catching this. The situation is quite messy, so I will try to summarize it in a few words. CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This vulnerabilitity was "fixed" via [0], however the fix is broken (the check should be done for y, not ty). Talos decided to report the remaining issue as a separate vulnerability, TALOS-2019-0842, which was recently assigned CVE-2019-5058. It was fixed via [1]. CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just CVE-2018-3977 which wasn't fixed properly. Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware that the initial patch was broken (see stretch patch descriptions), I failed to handle this properly in the buster version. As far as I remember, I did not upload this diff yet. I'll just provide an updated version asap. I will also update the testing NMU[2], which I fortunately did not upload yet. Thanks again! regards, Hugo [0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 [1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Hugo, Maybe I'm missing something but but please double check. Can it be that the stretch-pu upload contains the fix https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 but the buster-pu one missed it? (Note this has a new CVE assigned CVE-2019-5058, the change afaics is included in your stretch-pu debdiff, is this right? but not in the buster-pu one?) Would be great if you can re-check if the above is correct. Regards, Salvatore
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, libsdl2-image is currently affected by the following security issues: * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. * CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c. * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). * CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). (for more information, see #932754) Attached is a debdiff addressing all of them for buster. All of these patches are from upstream, I have removed whitespace changes and non security related refactoring. thanks! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog --- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 08:59:26.0 -0200 +++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 17:01:14.0 -0300 @@ -1,3 +1,17 @@ +libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Multiple security issues (Closes: #932754): +- CVE-2019-5052: integer overflow and subsequent buffer overflow in + IMG_pcx.c. +- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). +- CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre Fri, 26 Jul 2019 17:01:14 -0300 + libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium * New upstream version. diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.0 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 17:01:14.0 -0300 @@ -0,0 +1,84 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300 b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300 +@@ -98,6 +98,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++int count = 0; ++Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -146,14 +148,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++goto done; + } +-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1); ++buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = (Uint8 *)surface->pixels; + for ( y=0; yh; ++y ) { + /* decode a scan line to a temporary buffer first */ +-int i, count = 0; +-Uint8 ch; +-Uint8 *dst = (src_bits == 8) ? row : buf; ++int i; ++Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -166,14 +168,15 @@ + error = "file truncated"; + goto done; + } +-if( (ch & 0xc0) == 0xc0) { +-count = ch & 0x3f; +-if(!SDL_RWread(src, , 1, 1)) { ++if ( ch < 0xc0 ) { ++count = 1; ++} else { ++count = ch - 0xc0; ++if( !SDL_RWread(src, , 1, 1)) { + error = "file truncated"; + goto done; + } +-} else +-count = 1; ++} + } + dst[i] = ch; + count--; +@@ -205,10 +208,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++if ( dst >= row+surface->pitch ) { ++error = "decoding out of bounds (corrupt?)"; ++goto done; ++} + *dst = *innerSrc++; + dst += pcxh.NPlanes; + } + } ++} else { ++SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -225,8 +234,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, , 1, 1)) { +-