Bug#932755: sdl-image1.2: multiple security issues
Hi Felix, > > Concerning testing: can I upload the NMU? > > Sure, please go ahead! thanks! I have uploaded the NMU, with some very small changes: I have added a patch for CVE-2019-5058, which addresses issues in a previously uploaded patch for CVE-2018-3977 (via 1.2.12-10). cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Hi Salvatore, > FTR, there are new CVEs which appeared for TALOS-2019-0841 > TALOS-2019-0842, TALOS-2019-0843 and TALOS-2019-0844. > > It is unfortunate that Cisco Talos project is a bit intransparent on > referencing the respecitve upstream fixes after disclosure :( Thanks for the information. I will update the testing NMU to address these issues as well and perform some triage in the tracker (CVE-2019-5058 is the same as CVE-2018-3977 and CVE-2019-5057 looks familiar as well). regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Hi FTR, there are new CVEs which appeared for TALOS-2019-0841 TALOS-2019-0842, TALOS-2019-0843 and TALOS-2019-0844. It is unfortunate that Cisco Talos project is a bit intransparent on referencing the respecitve upstream fixes after disclosure :( Regards, Salvatore
Bug#932755: sdl-image1.2: multiple security issues
Hi Hugo, On 27.07.19 19:39, Hugo Lefeuvre wrote: Dear SDL packages maintainers, I have uploaded the jessie LTS update. I will coordinate with the security team for stretch and buster fixes via point release. Concerning testing: can I upload the NMU? Sure, please go ahead! Cheers, Felix
Bug#932755: sdl-image1.2: multiple security issues
Dear SDL packages maintainers, I have uploaded the jessie LTS update. I will coordinate with the security team for stretch and buster fixes via point release. Concerning testing: can I upload the NMU? cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Source: sdl-image1.2 Version: 1.2.12-10 Severity: important Tags: security upstream Hi, the following security issues[0] were published for sdl-image1.2: * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. * CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c. * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). * CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). Fixing these issues: Patches are quite straightforward and I believe that some of these issues are worth fixing (reporter claims that they are "exploitable"). I have prepared and uploaded a jessie LTS update addressing most of these issues (all of them apart from CVE-2019-5051) via targeted fixes. If the security team agrees, I will provide targeted fixes for buster and stretch. For testing, I suggest to package the latest upstream release. If needed, I can provide an update with targeted fixes. regards, Hugo [0] https://security-tracker.debian.org/tracker/source-package/sdl-image1.2 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
