Bug#912617: Fwd: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
(Forwarding for completeness) - Original message - From: Moritz Mühlenhoff To: Chris Lamb Cc: "Manuel A. Fernandez Montecelo" , t...@security.debian.org Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability Date: Wed, 7 Nov 2018 23:07:52 +0100 On Wed, Nov 07, 2018 at 05:02:39PM -0500, Chris Lamb wrote: > Dear Moritz, > > I notice you (?) dropped the related bug numbers. Was this deliberate? Sorry, accidental. I meant to strip Salvatore as he's already getting those mails via team@sdo and dropped the bugs by accident. > > I don't think this warrants a DSA, IMG_LoadXCF_RW() doesn't seem be in use > > in the archive at all and it's hard to imagine a real world SDL application > > parsinf XCF files from untrusted sources. > > ACK here. I've updated the tracker for stretch here: > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb671421029223793d3e1e7c4e07d898a1a3aedb > > (Let me know if I shouldn't ever touch stable.) Thanks, commiting changes for stable is totally fine if it's recording existing discussions! Cheers, Moritz
Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Chris Lamb wrote: > * Uploaded libsdl2-image 2.0.3+dfsg1-3 to fix #912617 in sid. > > * Uploaded sdl-image1.2 1.2.12-10 to sid to fix #912618 in sid. > > I will address jessie in the next day or so, although I think I > would prefer to attack stable first. Security team, can I gently ping you on whether I should go ahead with preparing uploads for these? Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Hi Manuel, > > Sure. From this I will go ahead and upload to sid. I've requested > > access to the Salsa group so I can push my changes. > > I was planning to gbp-import-dsc, but if you prefer I'll grant you access, > sure. This should save you some effort at least. So, I've: * Uploaded libsdl2-image 2.0.3+dfsg1-3 to fix #912617 in sid. * Uploaded sdl-image1.2 1.2.12-10 to sid to fix #912618 in sid. I will address jessie in the next day or so, although I think I would prefer to attack stable first. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Hi, Em dom, 4 de nov de 2018 às 17:28, Chris Lamb escreveu: > > > I suppose that it's better that you go ahead unless they reply > > between now and you reading this e-mail. > > Sure. From this I will go ahead and upload to sid. I've requested > access to the Salsa group so I can push my changes. I was planning to gbp-import-dsc, but if you prefer I'll grant you access, sure. > (I still await the Security Team on stable.) OK, if you need any help please tell. I might not be around much in the next days, but I will try to be responsive. Cheers. -- Manuel A. Fernandez Montecelo
Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Hi Manuel, > I suppose that it's better that you go ahead unless they reply > between now and you reading this e-mail. Sure. From this I will go ahead and upload to sid. I've requested access to the Salsa group so I can push my changes. (I still await the Security Team on stable.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#912618: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Hi Chris, Em dom, 4 de nov de 2018 às 15:48, Chris Lamb escreveu: > > Hi SDL maintainers & security team, > > > libsdl2-image: CVE-2018-3977: do_layer_surface code execution > > vulnerability > > The attached patches apply cleanly to jessie, stretch and sid > respectfully. (Looks like they reformatted their code later on.) > > I am happy to upload handle jessie, but I can also work on the > stable/sid releases too if you wish; please let me know. I am enjoying a kind of a "long weekend" / mini-holidays, could not work on it so far and will not at least for another 3 or 4 days, and since the rest of the team did not reply to the original report I suppose that it's better that you go ahead unless they reply between now and you reading this e-mail. Thanks the several people involved in the work, both for the report and patches and offer to fix! Cheers. -- Manuel A. Fernandez Montecelo
Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Source: libsdl2-image Version: 2.0.3+dfsg1-2 Severity: grave Tags: patch security upstream Justification: user security hole Control: found -1 2.0.1+dfsg-1 Control: found -1 2.0.1+dfsg-2+deb9u1 Control: clone -1 -2 Control: retitle -2 sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability Control: reassign -2 src:sdl-image1.2 1.2.12-9 Control: found -2 1.2.12-5 Control: found -2 1.2.12-5+deb9u1 Hi, The following vulnerability was published for libsdl2-image. CVE-2018-3977[0]: | An exploitable code execution vulnerability exists in the XCF image | rendering functionality of SDL2_image-2.0.3. A specially crafted XCF | image can cause a heap overflow, resulting in code execution. An | attacker can display a specially crafted image to trigger this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-3977 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3977 [1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645 [2] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 Please adjust the affected versions in the BTS as needed. Regards, Salvatore