[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#933147: marked as done (buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1)

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #933147,
regarding buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
933147: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933147
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

libsdl2-image is currently affected by the following security issues:

* CVE-2019-5052: integer overflow and subsequent buffer overflow in
  IMG_pcx.c.

* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.

* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).

* CVE-2019-12216, CVE-2019-12217,
  CVE-2019-12218, CVE-2019-12219,
  CVE-2019-12220, CVE-2019-12221,
  CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).

(for more information, see #932754)

Attached is a debdiff addressing all of them for buster.

All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.

thanks!

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog	2019-02-03 08:59:26.000000000 -0200
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog	2019-07-26 17:01:14.000000000 -0300
@@ -1,3 +1,17 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Multiple security issues (Closes: #932754):
+    - CVE-2019-5052: integer overflow and subsequent buffer overflow in
+      IMG_pcx.c.
+    - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+    - CVE-2019-12216, CVE-2019-12217,
+      CVE-2019-12218, CVE-2019-12219,
+      CVE-2019-12220, CVE-2019-12221,
+      CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Fri, 26 Jul 2019 17:01:14 -0300
+
 libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
 
   * New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch	1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch	2019-07-26 17:01:14.000000000 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-26 17:35:40.331470589 -0300
++++ b/IMG_pcx.c	2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+     Uint8 *row, *buf = NULL;
+     char *error = NULL;
+     int bits, src_bits;
++    int count = 0;
++    Uint8 ch;
+ 
+     if ( !src ) {
+         /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+     bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+     if (bpl > surface->pitch) {
+         error = "bytes per line is too large (corrupt?)";
++        goto done;
+     }
+-    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++    buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+     row = (Uint8 *)surface->pixels;
+     for ( y=0; y<surface->h; ++y ) {
+         /* decode a scan line to a temporary buffer first */
+-        int i, count = 0;
+-        Uint8 ch;
+-        Uint8 *dst = (src_bits == 8) ? row : buf;
++        int i;
++        Uint8 *dst = buf;
+         if ( pcxh.Encoding == 0 ) {
+             if(!SDL_RWread(src, dst, bpl, 1)) {
+                 error = "file truncated";
+@@ -166,14 +168,15 @@
+                         error = "file truncated";
+                         goto done;
+                     }
+-                    if( (ch & 0xc0) == 0xc0) {
+-                        count = ch & 0x3f;
+-                        if(!SDL_RWread(src, &ch, 1, 1)) {
++                    if ( ch < 0xc0 ) {
++                        count = 1;
++                    } else {
++                        count = ch - 0xc0;
++                        if( !SDL_RWread(src, &ch, 1, 1)) {
+                             error = "file truncated";
+                             goto done;
+                         }
+-                    } else
+-                        count = 1;
++                    }
+                 }
+                 dst[i] = ch;
+                 count--;
+@@ -205,10 +208,16 @@
+                 int x;
+                 dst = row + plane;
+                 for(x = 0; x < width; x++) {
++                    if ( dst >= row+surface->pitch ) {
++                        error = "decoding out of bounds (corrupt?)";
++                        goto done;
++                    }
+                     *dst = *innerSrc++;
+                     dst += pcxh.NPlanes;
+                 }
+             }
++        } else {
++            SDL_memcpy(row, buf, bpl);
+         }
+ 
+         row += surface->pitch;
+@@ -225,8 +234,9 @@
+             /* look for a 256-colour palette */
+             do {
+                 if ( !SDL_RWread(src, &ch, 1, 1)) {
+-                    error = "file truncated";
+-                    goto done;
++                    /* Couldn't find the palette, try the end of the file */
++                    SDL_RWseek(src, -768, RW_SEEK_END);
++                    break;
+                 }
+             } while ( ch != 12 );
+ 
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch	1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch	2019-07-26 17:01:14.000000000 -0300
@@ -0,0 +1,15 @@
+Description: fix invalid data read on bpl == -1
+ Issue known as TALOS-2019-0821, or CVE-2019-5052.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
+--- a/IMG_pcx.c	2019-07-26 17:49:10.472114286 -0300
++++ b/IMG_pcx.c	2019-07-26 17:50:15.053906715 -0300
+@@ -146,7 +146,7 @@
+         goto done;
+ 
+     bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-    if (bpl > surface->pitch) {
++    if (bpl < 0 || bpl > surface->pitch) {
+         error = "bytes per line is too large (corrupt?)";
+         goto done;
+     }
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch	1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch	2019-07-26 17:01:14.000000000 -0300
@@ -0,0 +1,59 @@
+Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c)
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49
+--- a/IMG_bmp.c	2019-07-26 18:31:09.387643105 -0300
++++ b/IMG_bmp.c	2019-07-26 18:31:21.875151518 -0300
+@@ -371,6 +371,14 @@
+             ExpandBMP = biBitCount;
+             biBitCount = 8;
+             break;
++        case 2:
++        case 3:
++        case 5:
++        case 6:
++        case 7:
++            SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++            was_error = SDL_TRUE;
++            goto done;
+         default:
+             ExpandBMP = 0;
+             break;
+@@ -511,13 +519,19 @@
+                 if ( i%(8/ExpandBMP) == 0 ) {
+                     if ( !SDL_RWread(src, &pixel, 1, 1) ) {
+                         IMG_SetError("Error reading from BMP");
++                            was_error = SDL_TRUE;
++                            goto done;
++                        }
++                    }
++                    bits[i] = (pixel >> shift);
++                    if (bits[i] >= biClrUsed) {
++                        IMG_SetError("A BMP image contains a pixel with a color out of the palette");
+                         was_error = SDL_TRUE;
+                         goto done;
+                     }
++                    pixel <<= ExpandBMP;
+                 }
+-                *(bits+i) = (pixel>>shift);
+-                pixel <<= ExpandBMP;
+-            } }
++            }
+             break;
+ 
+             default:
+@@ -526,6 +540,15 @@
+                 was_error = SDL_TRUE;
+                 goto done;
+             }
++            if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++                for (i = 0; i < surface->w; ++i) {
++                    if (bits[i] >= biClrUsed) {
++                        SDL_SetError("A BMP image contains a pixel with a color out of the palette");
++                        was_error = SDL_TRUE;
++                        goto done;
++                    }
++                }
++            }
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+             /* Byte-swap the pixels if needed. Note that the 24bpp
+                case has already been taken care of above. */
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch	1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch	2019-07-26 17:01:14.000000000 -0300
@@ -0,0 +1,71 @@
+Description: fix multiple OOB issues in IMG_pcx.c
+ This patches addresses following issues: CVE-2019-12222, CVE-2019-12221,
+ CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217.
+Author: Sam Lantinga <slouken@libsdl.org>, Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
+--- a/IMG_pcx.c	2019-07-26 18:04:15.542455425 -0300
++++ b/IMG_pcx.c	2019-07-26 18:04:54.585211727 -0300
+@@ -146,18 +146,17 @@
+         goto done;
+ 
+     bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-    if (bpl < 0 || bpl > surface->pitch) {
+-        error = "bytes per line is too large (corrupt?)";
++    buf = (Uint8 *)SDL_calloc(bpl, 1);
++    if ( !buf ) {
++        error = "Out of memory";
+         goto done;
+     }
+-    buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+     row = (Uint8 *)surface->pixels;
+     for ( y=0; y<surface->h; ++y ) {
+         /* decode a scan line to a temporary buffer first */
+         int i;
+-        Uint8 *dst = buf;
+         if ( pcxh.Encoding == 0 ) {
+-            if(!SDL_RWread(src, dst, bpl, 1)) {
++            if(!SDL_RWread(src, buf, bpl, 1)) {
+                 error = "file truncated";
+                 goto done;
+             }
+@@ -178,7 +177,7 @@
+                         }
+                     }
+                 }
+-                dst[i] = ch;
++                buf[i] = ch;
+                 count--;
+             }
+         }
+@@ -200,13 +199,21 @@
+                     }
+                 }
+             }
++        } else if ( src_bits == 8 ) {
++            /* directly copy buf content to row */
++            Uint8 *innerSrc = buf;
++            int x;
++            Uint8 *dst = row;
++            for ( x = 0; x < width; x++ ) {
++                *dst++ = *innerSrc++;
++            }
+         } else if(src_bits == 24) {
+             /* de-interlace planes */
+             Uint8 *innerSrc = buf;
+             int plane;
+             for(plane = 0; plane < pcxh.NPlanes; plane++) {
+                 int x;
+-                dst = row + plane;
++                Uint8 *dst = row + plane;
+                 for(x = 0; x < width; x++) {
+                     if ( dst >= row+surface->pitch ) {
+                         error = "decoding out of bounds (corrupt?)";
+@@ -216,8 +223,6 @@
+                     dst += pcxh.NPlanes;
+                 }
+             }
+-        } else {
+-            SDL_memcpy(row, buf, bpl);
+         }
+ 
+         row += surface->pitch;
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/series libsdl2-image-2.0.4+dfsg1/debian/patches/series
--- libsdl2-image-2.0.4+dfsg1/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/series	2019-07-26 16:59:47.000000000 -0300
@@ -0,0 +1,4 @@
+CVE-2019-12218.patch
+CVE-2019-5052.patch
+IMG_pcx-out-of-bounds.patch
+CVE-2019-7635.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---
Reply to: