Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Control: tags -1 + confirmed On Thu, 2019-08-08 at 21:33 +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > > Done! You can find an updated debdiff for buster in attachement. > > > The new > > > debdiff ships CVE-2019-5058.patch which addresses the remaining > > > issue in > > > IMG_xcf.c. > > > > Is the attachment missing? > > Right, attachment is missing! Better now :) > Please go ahead; thanks. Regards, Adam
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Salvatore,
> > Done! You can find an updated debdiff for buster in attachement. The new
> > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in
> > IMG_xcf.c.
>
> Is the attachment missing?
Right, attachment is missing! Better now :)
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 11:59:26.0 +0100
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 22:01:14.0 +0200
@@ -1,3 +1,18 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Multiple security issues (Closes: #932754):
+- CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c).
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+ IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Fri, 26 Jul 2019 17:01:14 -0300
+
libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
* New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1970-01-01 01:00:00.0 +0100
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 22:01:14.0 +0200
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300
b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -166,14 +168,15 @@
+ error = "file truncated";
+ goto done;
+ }
+-if( (ch & 0xc0) == 0xc0) {
+-count = ch & 0x3f;
+-if(!SDL_RWread(src, , 1, 1)) {
++if ( ch < 0xc0 ) {
++count = 1;
++} else {
++count = ch - 0xc0;
++if( !SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+-} else
+-count = 1;
++}
+ }
+ dst[i] = ch;
+ count--;
+@@ -205,10 +208,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++if ( dst >= row+surface->pitch ) {
++error = "decoding out of bounds (corrupt?)";
++goto done;
++}
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++} else {
++SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -225,8 +234,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, , 1, 1)) {
+-error = "file truncated";
+-goto done;
++/* Couldn't find the palette, try the end of the file */
++SDL_RWseek(src, -768, RW_SEEK_END);
++break;
+ }
+ } while ( ch != 12 );
+
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch
---
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Hugo, On Thu, Aug 08, 2019 at 03:21:31PM +0200, Hugo Lefeuvre wrote: > Hi, > > > > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > > > that the initial patch was broken (see stretch patch descriptions), I > > > failed to handle this properly in the buster version. > > > > > > As far as I remember, I did not upload this diff yet. I'll just provide an > > > updated version asap. I will also update the testing NMU[2], which I > > > fortunately did not upload yet. > > > > Perfect, thank you for that! > > Done! You can find an updated debdiff for buster in attachement. The new > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in > IMG_xcf.c. Is the attachment missing? Regards, Salvatore
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi, > > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > > that the initial patch was broken (see stretch patch descriptions), I > > failed to handle this properly in the buster version. > > > > As far as I remember, I did not upload this diff yet. I'll just provide an > > updated version asap. I will also update the testing NMU[2], which I > > fortunately did not upload yet. > > Perfect, thank you for that! Done! You can find an updated debdiff for buster in attachement. The new debdiff ships CVE-2019-5058.patch which addresses the remaining issue in IMG_xcf.c. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Hugo, On Mon, Aug 05, 2019 at 08:28:00AM +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > Maybe I'm missing something but but please double check. Can it be > > that the stretch-pu upload contains the fix > > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 > > but the buster-pu one missed it? (Note this has a new CVE assigned > > CVE-2019-5058, the change afaics is included in your stretch-pu > > debdiff, is this right? but not in the buster-pu one?) > > Thanks for catching this. The situation is quite messy, so I will try to > summarize it in a few words. > > CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This > vulnerabilitity was "fixed" via [0], however the fix is broken (the check > should be done for y, not ty). Talos decided to report the remaining issue > as a separate vulnerability, TALOS-2019-0842, which was recently assigned > CVE-2019-5058. It was fixed via [1]. > > CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just > CVE-2018-3977 which wasn't fixed properly. Ack, thanks for summarizing the situation. > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > that the initial patch was broken (see stretch patch descriptions), I > failed to handle this properly in the buster version. > > As far as I remember, I did not upload this diff yet. I'll just provide an > updated version asap. I will also update the testing NMU[2], which I > fortunately did not upload yet. Perfect, thank you for that! Regards, Salvatore
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Salvatore, > Maybe I'm missing something but but please double check. Can it be > that the stretch-pu upload contains the fix > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 > but the buster-pu one missed it? (Note this has a new CVE assigned > CVE-2019-5058, the change afaics is included in your stretch-pu > debdiff, is this right? but not in the buster-pu one?) Thanks for catching this. The situation is quite messy, so I will try to summarize it in a few words. CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This vulnerabilitity was "fixed" via [0], however the fix is broken (the check should be done for y, not ty). Talos decided to report the remaining issue as a separate vulnerability, TALOS-2019-0842, which was recently assigned CVE-2019-5058. It was fixed via [1]. CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just CVE-2018-3977 which wasn't fixed properly. Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware that the initial patch was broken (see stretch patch descriptions), I failed to handle this properly in the buster version. As far as I remember, I did not upload this diff yet. I'll just provide an updated version asap. I will also update the testing NMU[2], which I fortunately did not upload yet. Thanks again! regards, Hugo [0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 [1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Hugo, Maybe I'm missing something but but please double check. Can it be that the stretch-pu upload contains the fix https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 but the buster-pu one missed it? (Note this has a new CVE assigned CVE-2019-5058, the change afaics is included in your stretch-pu debdiff, is this right? but not in the buster-pu one?) Would be great if you can re-check if the above is correct. Regards, Salvatore
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
libsdl2-image is currently affected by the following security issues:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in
IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
(for more information, see #932754)
Attached is a debdiff addressing all of them for buster.
All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 08:59:26.0 -0200
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 17:01:14.0 -0300
@@ -1,3 +1,17 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Multiple security issues (Closes: #932754):
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+ IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Fri, 26 Jul 2019 17:01:14 -0300
+
libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
* New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 17:01:14.0 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300
b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -166,14 +168,15 @@
+ error = "file truncated";
+ goto done;
+ }
+-if( (ch & 0xc0) == 0xc0) {
+-count = ch & 0x3f;
+-if(!SDL_RWread(src, , 1, 1)) {
++if ( ch < 0xc0 ) {
++count = 1;
++} else {
++count = ch - 0xc0;
++if( !SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+-} else
+-count = 1;
++}
+ }
+ dst[i] = ch;
+ count--;
+@@ -205,10 +208,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++if ( dst >= row+surface->pitch ) {
++error = "decoding out of bounds (corrupt?)";
++goto done;
++}
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++} else {
++SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -225,8 +234,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, , 1, 1)) {
+-
