Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2
Control: tags -1 + confirmed On Thu, 2019-08-29 at 09:51 -0400, Hugo Lefeuvre wrote: > Small update: I forgot to close the bug report (#932755) and did not > mention > CVE-2019-5058 in debian/changelog. You can find an updated debdiff in > attachment. > Please go ahead. Regards, Adam
Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2
Small update: I forgot to close the bug report (#932755) and did not mention
CVE-2019-5058 in debian/changelog. You can find an updated debdiff in
attachment.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog 2018-04-15 11:54:38.0 -0400
+++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:28:17.0 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2018-3977, CVE-2019-5058: buffer overflow in do_layer_surface
+(IMG_xcf.c) (Closes: #932755).
+ * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+ * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+ * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Thu, 29 Aug 2019 08:28:17 -0400
+
sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high
* Backport various security fixes:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+ https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c 2019-07-23 11:56:35.733259428 -0300
b/IMG_xcf.c 2019-07-23 11:57:55.036947079 -0300
+@@ -634,6 +634,9 @@
+ p16 = (Uint16 *) p8;
+ p = (Uint32 *) p8;
+ for (y=ty; y < ty+oy; y++) {
++ if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++ break;
++ }
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300
b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
++ if( ch < 0xc0) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
+ if(!SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if ( dst >= row+surface->pitch ) {
++ error = "decoding out of bounds (corrupt?)";
++ goto done;
++ }
+ *dst = *src++;
+ dst += pcxh.NPlanes;
+ }
+ }
++ } else {
++ SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -227,8 +236,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, , 1, 1)) {
+- error = "file truncated";
+- goto done;
++ /* Couldn't find the palette, try the end of the file */
++ SDL_RWseek(src, -768, RW_SEEK_END);
++ break;
+ }
+ } while ( ch != 12 );
+
diff -Nru
Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
sdl-image1.2 is affected by a number of security issues in stretch. Impact is
quite minor, but it would still be nice to get them fixed.
Attached is a debdiff addressing most of them for stretch.
libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.
(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog 2018-04-15 11:54:38.0 -0400
+++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:28:17.0 -0400
@@ -1,3 +1,16 @@
+sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
+ * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+ * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+ * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Thu, 29 Aug 2019 08:28:17 -0400
+
sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high
* Backport various security fixes:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+ https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c 2019-07-23 11:56:35.733259428 -0300
b/IMG_xcf.c 2019-07-23 11:57:55.036947079 -0300
+@@ -634,6 +634,9 @@
+ p16 = (Uint16 *) p8;
+ p = (Uint32 *) p8;
+ for (y=ty; y < ty+oy; y++) {
++ if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++ break;
++ }
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300
b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
++ if( ch < 0xc0) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
+ if(!SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if ( dst >= row+surface->pitch ) {
++ error = "decoding out of bounds (corrupt?)";
++ goto done;
++ }
+ *dst = *src++;
+ dst +=
