Your message dated Sat, 07 Sep 2019 14:34:49 +0100 with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes including in 10.1 point release has caused the Debian Bug report #933147, regarding buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 933147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933147 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Cc: team@security.debian.org
- Subject: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
- From: Hugo Lefeuvre <hle@debian.org>
- Date: Fri, 26 Jul 2019 18:53:13 -0300
- Message-id: <20190726215313.GA5531@behemoth.owl.eu.com.local>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hi, libsdl2-image is currently affected by the following security issues: * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. * CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c. * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). * CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). (for more information, see #932754) Attached is a debdiff addressing all of them for buster. All of these patches are from upstream, I have removed whitespace changes and non security related refactoring. thanks! cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4Cdiff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog --- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 08:59:26.000000000 -0200 +++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 17:01:14.000000000 -0300 @@ -1,3 +1,17 @@ +libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Multiple security issues (Closes: #932754): + - CVE-2019-5052: integer overflow and subsequent buffer overflow in + IMG_pcx.c. + - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). + - CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre <hle@debian.org> Fri, 26 Jul 2019 17:01:14 -0300 + libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium * New upstream version. diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,84 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga <slouken@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300 ++++ b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300 +@@ -98,6 +98,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++ int count = 0; ++ Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -146,14 +148,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++ goto done; + } +- buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1); ++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = (Uint8 *)surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ +- int i, count = 0; +- Uint8 ch; +- Uint8 *dst = (src_bits == 8) ? row : buf; ++ int i; ++ Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -166,14 +168,15 @@ + error = "file truncated"; + goto done; + } +- if( (ch & 0xc0) == 0xc0) { +- count = ch & 0x3f; +- if(!SDL_RWread(src, &ch, 1, 1)) { ++ if ( ch < 0xc0 ) { ++ count = 1; ++ } else { ++ count = ch - 0xc0; ++ if( !SDL_RWread(src, &ch, 1, 1)) { + error = "file truncated"; + goto done; + } +- } else +- count = 1; ++ } + } + dst[i] = ch; + count--; +@@ -205,10 +208,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++ if ( dst >= row+surface->pitch ) { ++ error = "decoding out of bounds (corrupt?)"; ++ goto done; ++ } + *dst = *innerSrc++; + dst += pcxh.NPlanes; + } + } ++ } else { ++ SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -225,8 +234,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, &ch, 1, 1)) { +- error = "file truncated"; +- goto done; ++ /* Couldn't find the palette, try the end of the file */ ++ SDL_RWseek(src, -768, RW_SEEK_END); ++ break; + } + } while ( ch != 12 ); + diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,15 @@ +Description: fix invalid data read on bpl == -1 + Issue known as TALOS-2019-0821, or CVE-2019-5052. +Author: Sam Lantinga <slouken@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 +--- a/IMG_pcx.c 2019-07-26 17:49:10.472114286 -0300 ++++ b/IMG_pcx.c 2019-07-26 17:50:15.053906715 -0300 +@@ -146,7 +146,7 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl > surface->pitch) { ++ if (bpl < 0 || bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; + goto done; + } diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,59 @@ +Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) +Author: Sam Lantinga <slouken@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 +--- a/IMG_bmp.c 2019-07-26 18:31:09.387643105 -0300 ++++ b/IMG_bmp.c 2019-07-26 18:31:21.875151518 -0300 +@@ -371,6 +371,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -511,13 +519,19 @@ + if ( i%(8/ExpandBMP) == 0 ) { + if ( !SDL_RWread(src, &pixel, 1, 1) ) { + IMG_SetError("Error reading from BMP"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); + was_error = SDL_TRUE; + goto done; + } ++ pixel <<= ExpandBMP; + } +- *(bits+i) = (pixel>>shift); +- pixel <<= ExpandBMP; +- } } ++ } + break; + + default: +@@ -526,6 +540,15 @@ + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ SDL_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,71 @@ +Description: fix multiple OOB issues in IMG_pcx.c + This patches addresses following issues: CVE-2019-12222, CVE-2019-12221, + CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217. +Author: Sam Lantinga <slouken@libsdl.org>, Hugo Lefeuvre <hle@debian.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 +--- a/IMG_pcx.c 2019-07-26 18:04:15.542455425 -0300 ++++ b/IMG_pcx.c 2019-07-26 18:04:54.585211727 -0300 +@@ -146,18 +146,17 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl < 0 || bpl > surface->pitch) { +- error = "bytes per line is too large (corrupt?)"; ++ buf = (Uint8 *)SDL_calloc(bpl, 1); ++ if ( !buf ) { ++ error = "Out of memory"; + goto done; + } +- buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = (Uint8 *)surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ + int i; +- Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { +- if(!SDL_RWread(src, dst, bpl, 1)) { ++ if(!SDL_RWread(src, buf, bpl, 1)) { + error = "file truncated"; + goto done; + } +@@ -178,7 +177,7 @@ + } + } + } +- dst[i] = ch; ++ buf[i] = ch; + count--; + } + } +@@ -200,13 +199,21 @@ + } + } + } ++ } else if ( src_bits == 8 ) { ++ /* directly copy buf content to row */ ++ Uint8 *innerSrc = buf; ++ int x; ++ Uint8 *dst = row; ++ for ( x = 0; x < width; x++ ) { ++ *dst++ = *innerSrc++; ++ } + } else if(src_bits == 24) { + /* de-interlace planes */ + Uint8 *innerSrc = buf; + int plane; + for(plane = 0; plane < pcxh.NPlanes; plane++) { + int x; +- dst = row + plane; ++ Uint8 *dst = row + plane; + for(x = 0; x < width; x++) { + if ( dst >= row+surface->pitch ) { + error = "decoding out of bounds (corrupt?)"; +@@ -216,8 +223,6 @@ + dst += pcxh.NPlanes; + } + } +- } else { +- SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/series libsdl2-image-2.0.4+dfsg1/debian/patches/series --- libsdl2-image-2.0.4+dfsg1/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/series 2019-07-26 16:59:47.000000000 -0300 @@ -0,0 +1,4 @@ +CVE-2019-12218.patch +CVE-2019-5052.patch +IMG_pcx-out-of-bounds.patch +CVE-2019-7635.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 930795-done@bugs.debian.org, 931126-done@bugs.debian.org, 931198-done@bugs.debian.org, 931199-done@bugs.debian.org, 931358-done@bugs.debian.org, 931596-done@bugs.debian.org, 931608-done@bugs.debian.org, 931615-done@bugs.debian.org, 931616-done@bugs.debian.org, 931724-done@bugs.debian.org, 931817-done@bugs.debian.org, 931967-done@bugs.debian.org, 932009-done@bugs.debian.org, 932030-done@bugs.debian.org, 932069-done@bugs.debian.org, 932111-done@bugs.debian.org, 932193-done@bugs.debian.org, 932318-done@bugs.debian.org, 932335-done@bugs.debian.org, 932441-done@bugs.debian.org, 932448-done@bugs.debian.org, 932518-done@bugs.debian.org, 932522-done@bugs.debian.org, 932588-done@bugs.debian.org, 932606-done@bugs.debian.org, 932684-done@bugs.debian.org, 932790-done@bugs.debian.org, 932945-done@bugs.debian.org, 933036-done@bugs.debian.org, 933125-done@bugs.debian.org, 933147-done@bugs.debian.org, 933175-done@bugs.debian.org, 933369-done@bugs.debian.org, 933379-done@bugs.debian.org, 933392-done@bugs.debian.org, 933535-done@bugs.debian.org, 933754-done@bugs.debian.org, 933764-done@bugs.debian.org, 933769-done@bugs.debian.org, 933787-done@bugs.debian.org, 933899-done@bugs.debian.org, 933911-done@bugs.debian.org, 933976-done@bugs.debian.org, 934094-done@bugs.debian.org, 934163-done@bugs.debian.org, 934183-done@bugs.debian.org, 934308-done@bugs.debian.org, 934311-done@bugs.debian.org, 934329-done@bugs.debian.org, 934343-done@bugs.debian.org, 934345-done@bugs.debian.org, 934507-done@bugs.debian.org, 934537-done@bugs.debian.org, 934650-done@bugs.debian.org, 934689-done@bugs.debian.org, 934704-done@bugs.debian.org, 934826-done@bugs.debian.org, 934827-done@bugs.debian.org, 934928-done@bugs.debian.org, 934934-done@bugs.debian.org, 934956-done@bugs.debian.org, 935137-done@bugs.debian.org, 935165-done@bugs.debian.org, 935200-done@bugs.debian.org, 935253-done@bugs.debian.org, 935261-done@bugs.debian.org, 935265-done@bugs.debian.org, 935308-done@bugs.debian.org, 935370-done@bugs.debian.org, 935386-done@bugs.debian.org, 935411-done@bugs.debian.org, 935465-done@bugs.debian.org, 935474-done@bugs.debian.org, 935479-done@bugs.debian.org, 935480-done@bugs.debian.org, 935576-done@bugs.debian.org, 935583-done@bugs.debian.org, 935704-done@bugs.debian.org, 935707-done@bugs.debian.org, 935719-done@bugs.debian.org, 935746-done@bugs.debian.org, 935770-done@bugs.debian.org, 935776-done@bugs.debian.org, 935809-done@bugs.debian.org, 935815-done@bugs.debian.org, 935827-done@bugs.debian.org, 935888-done@bugs.debian.org, 935957-done@bugs.debian.org, 935988-done@bugs.debian.org, 936022-done@bugs.debian.org, 936056-done@bugs.debian.org, 938954-done@bugs.debian.org, 938975-done@bugs.debian.org, 939019-done@bugs.debian.org
- Cc: 935588@bugs.debian.org
- Subject: Closing bugs for fixes including in 10.1 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Sep 2019 14:34:49 +0100
- Message-id: <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
Version: 10.1 Hi, The fixes referenced by each of these bugs were included in today's buster point release. Regards, Adam
--- End Message ---