Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
libsdl2-image is currently affected by the following security issues in
stretch:
* CVE-2018-3977: Heap buffer overflow.
* CVE-2019-5052: integer overflow and subsequent buffer overflow in
IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
(for more information, see #932754)
Attached is a debdiff addressing all of them for stretch.
All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.
This is the same patch as #933147.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.1+dfsg/debian/changelog libsdl2-image-2.0.1+dfsg/debian/changelog
--- libsdl2-image-2.0.1+dfsg/debian/changelog 2018-04-15 12:26:34.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/changelog 2019-07-27 13:19:47.000000000 -0300
@@ -1,3 +1,18 @@
+libsdl2-image (2.0.1+dfsg-2+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Multiple security issues (Closes: #932754):
+ - CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
+ - CVE-2019-5052: integer overflow and subsequent buffer overflow in
+ IMG_pcx.c.
+ - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+ - CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre <hle@debian.org> Sat, 27 Jul 2019 13:19:47 -0300
+
libsdl2-image (2.0.1+dfsg-2+deb9u1) stretch-security; urgency=high
* Backport various security fixes:
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch 1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch 2019-07-27 13:19:47.000000000 -0300
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon <icculus@icculus.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+ https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c 2019-07-27 13:21:45.402211011 -0300
++++ b/IMG_xcf.c 2019-07-27 13:21:45.398211049 -0300
+@@ -637,6 +637,9 @@
+ p16 = (Uint16 *) p8;
+ p = (Uint32 *) p8;
+ for (y=ty; y < ty+oy; y++) {
++ if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++ break;
++ }
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch 2019-07-27 13:19:47.000000000 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-27 13:21:30.158367768 -0300
++++ b/IMG_pcx.c 2019-07-27 13:21:30.154367811 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; y<surface->h; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
+- if(!SDL_RWread(src, &ch, 1, 1)) {
++ if ( ch < 0xc0 ) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
++ if( !SDL_RWread(src, &ch, 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if ( dst >= row+surface->pitch ) {
++ error = "decoding out of bounds (corrupt?)";
++ goto done;
++ }
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++ } else {
++ SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -227,8 +236,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, &ch, 1, 1)) {
+- error = "file truncated";
+- goto done;
++ /* Couldn't find the palette, try the end of the file */
++ SDL_RWseek(src, -768, RW_SEEK_END);
++ break;
+ }
+ } while ( ch != 12 );
+
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-5052.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-5052.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-5052.patch 1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-5052.patch 2019-07-27 13:19:47.000000000 -0300
@@ -0,0 +1,15 @@
+Description: fix invalid data read on bpl == -1
+ Issue known as TALOS-2019-0821, or CVE-2019-5052.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
+--- a/IMG_pcx.c 2019-07-27 13:21:35.678309318 -0300
++++ b/IMG_pcx.c 2019-07-27 13:21:35.678309318 -0300
+@@ -148,7 +148,7 @@
+ goto done;
+
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+- if (bpl > surface->pitch) {
++ if (bpl < 0 || bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
+ goto done;
+ }
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-7635.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-7635.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-7635.patch 1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-7635.patch 2019-07-27 13:19:47.000000000 -0300
@@ -0,0 +1,59 @@
+Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c)
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49
+--- a/IMG_bmp.c 2019-07-27 13:21:50.074165775 -0300
++++ b/IMG_bmp.c 2019-07-27 13:21:50.070165813 -0300
+@@ -374,6 +374,14 @@
+ ExpandBMP = biBitCount;
+ biBitCount = 8;
+ break;
++ case 2:
++ case 3:
++ case 5:
++ case 6:
++ case 7:
++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++ was_error = SDL_TRUE;
++ goto done;
+ default:
+ ExpandBMP = 0;
+ break;
+@@ -514,13 +522,19 @@
+ if ( i%(8/ExpandBMP) == 0 ) {
+ if ( !SDL_RWread(src, &pixel, 1, 1) ) {
+ IMG_SetError("Error reading from BMP");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ bits[i] = (pixel >> shift);
++ if (bits[i] >= biClrUsed) {
++ IMG_SetError("A BMP image contains a pixel with a color out of the palette");
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ pixel <<= ExpandBMP;
+ }
+- *(bits+i) = (pixel>>shift);
+- pixel <<= ExpandBMP;
+- } }
++ }
+ break;
+
+ default:
+@@ -529,6 +543,15 @@
+ was_error = SDL_TRUE;
+ goto done;
+ }
++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++ for (i = 0; i < surface->w; ++i) {
++ if (bits[i] >= biClrUsed) {
++ SDL_SetError("A BMP image contains a pixel with a color out of the palette");
++ was_error = SDL_TRUE;
++ goto done;
++ }
++ }
++ }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ /* Byte-swap the pixels if needed. Note that the 24bpp
+ case has already been taken care of above. */
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/IMG_pcx-out-of-bounds.patch libsdl2-image-2.0.1+dfsg/debian/patches/IMG_pcx-out-of-bounds.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/IMG_pcx-out-of-bounds.patch 1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/IMG_pcx-out-of-bounds.patch 2019-07-27 13:19:47.000000000 -0300
@@ -0,0 +1,71 @@
+Description: fix multiple OOB issues in IMG_pcx.c
+ This patches addresses following issues: CVE-2019-12222, CVE-2019-12221,
+ CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217.
+Author: Sam Lantinga <slouken@libsdl.org>, Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
+--- a/IMG_pcx.c 2019-07-27 13:21:40.950255295 -0300
++++ b/IMG_pcx.c 2019-07-27 13:21:40.946255336 -0300
+@@ -148,18 +148,17 @@
+ goto done;
+
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+- if (bpl < 0 || bpl > surface->pitch) {
+- error = "bytes per line is too large (corrupt?)";
++ buf = (Uint8 *)SDL_calloc(bpl, 1);
++ if ( !buf ) {
++ error = "Out of memory";
+ goto done;
+ }
+- buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; y<surface->h; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+ int i;
+- Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+- if(!SDL_RWread(src, dst, bpl, 1)) {
++ if(!SDL_RWread(src, buf, bpl, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+@@ -180,7 +179,7 @@
+ }
+ }
+ }
+- dst[i] = ch;
++ buf[i] = ch;
+ count--;
+ }
+ }
+@@ -202,13 +201,21 @@
+ }
+ }
+ }
++ } else if ( src_bits == 8 ) {
++ /* directly copy buf content to row */
++ Uint8 *innerSrc = buf;
++ int x;
++ Uint8 *dst = row;
++ for ( x = 0; x < width; x++ ) {
++ *dst++ = *innerSrc++;
++ }
+ } else if(src_bits == 24) {
+ /* de-interlace planes */
+ Uint8 *innerSrc = buf;
+ int plane;
+ for(plane = 0; plane < pcxh.NPlanes; plane++) {
+ int x;
+- dst = row + plane;
++ Uint8 *dst = row + plane;
+ for(x = 0; x < width; x++) {
+ if ( dst >= row+surface->pitch ) {
+ error = "decoding out of bounds (corrupt?)";
+@@ -218,8 +225,6 @@
+ dst += pcxh.NPlanes;
+ }
+ }
+- } else {
+- SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/series libsdl2-image-2.0.1+dfsg/debian/patches/series
--- libsdl2-image-2.0.1+dfsg/debian/patches/series 2018-04-15 12:26:34.000000000 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/series 2019-07-27 13:19:47.000000000 -0300
@@ -10,3 +10,8 @@
CVE-2018-3837.patch
CVE-2018-3838.patch
CVE-2018-3839.patch
+CVE-2019-12218.patch
+CVE-2019-5052.patch
+IMG_pcx-out-of-bounds.patch
+CVE-2018-3977.patch
+CVE-2019-7635.patch
Attachment:
signature.asc
Description: PGP signature