[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#936056: marked as done (buster-pu: package sdl-image1.2/1.2.12-10+deb10u1)

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #936056,
regarding buster-pu: package sdl-image1.2/1.2.12-10+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
936056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936056
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: team@security.debian.org

Hi,

sdl-image1.2 is affected by a number of security issues in buster. Impact is
quite minor, but it would still be nice to get them fixed.

Attached is a debdiff addressing most of them for buster.

libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.

(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)

This is essentially the same update as 1.2.12-5+deb9u2, see #936051.

thanks!

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog	2018-11-04 18:58:30.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/changelog	2019-08-29 08:51:05.000000000 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-10+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-5058: Fix CVE-2018-3977.patch from previous upload: check should
+    be done for y, not ty (Closes: #932755).
+  * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+  * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+  * CVE-2019-12216, CVE-2019-12217,
+    CVE-2019-12218, CVE-2019-12219,
+    CVE-2019-12220, CVE-2019-12221,
+    CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Thu, 29 Aug 2019 08:51:05 -0400
+
 sdl-image1.2 (1.2.12-10) unstable; urgency=medium
 
   * Non-maintainer upload with permission of maintainers.
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2018-11-04 18:58:30.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2019-08-29 08:51:05.000000000 -0400
@@ -9,15 +9,13 @@
  IMG_xcf.c | 3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/IMG_xcf.c b/IMG_xcf.c
-index 064e641..93b6929 100644
---- a/IMG_xcf.c
-+++ b/IMG_xcf.c
-@@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
+--- a/IMG_xcf.c	2019-08-29 09:34:10.888355386 -0400
++++ b/IMG_xcf.c	2019-08-29 09:34:37.702747635 -0400
+@@ -634,6 +634,9 @@
        p16 = (Uint16 *) p8;
        p   = (Uint32 *) p8;
        for (y=ty; y < ty+oy; y++) {
-+	if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
++	if ((y >= surface->h) || ((tx+ox) > surface->w)) {
 +		break;
 +	}
  	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-23 11:28:25.847897628 -0300
++++ b/IMG_pcx.c	2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ 	if (bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
++		goto done;
+ 	}
+-	buf = calloc(SDL_max(bpl, surface->pitch), 1);
++	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; y<surface->h; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
++		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+ 			if(!SDL_RWread(src, dst, bpl, 1)) {
+ 				error = "file truncated";
+@@ -168,14 +170,15 @@
+ 						error = "file truncated";
+ 						goto done;
+ 					}
+-					if( (ch & 0xc0) == 0xc0) {
+-						count = ch & 0x3f;
++					if( ch < 0xc0) {
++						count = 1;
++					} else {
++						count = ch - 0xc0;
+ 						if(!SDL_RWread(src, &ch, 1, 1)) {
+ 							error = "file truncated";
+ 							goto done;
+ 						}
+-					} else
+-						count = 1;
++					}
+ 				}
+ 				dst[i] = ch;
+ 				count--;
+@@ -207,10 +210,16 @@
+ 				int x;
+ 				dst = row + plane;
+ 				for(x = 0; x < width; x++) {
++					if ( dst >= row+surface->pitch ) {
++						error = "decoding out of bounds (corrupt?)";
++						goto done;
++					}
+ 					*dst = *src++;
+ 					dst += pcxh.NPlanes;
+ 				}
+ 			}
++		} else {
++			SDL_memcpy(row, buf, bpl);
+ 		}
+ 
+ 		row += surface->pitch;
+@@ -227,8 +236,9 @@
+ 			/* look for a 256-colour palette */
+ 			do {
+ 				if ( !SDL_RWread(src, &ch, 1, 1)) {
+-					error = "file truncated";
+-					goto done;
++					/* Couldn't find the palette, try the end of the file */
++					SDL_RWseek(src, -768, RW_SEEK_END);
++					break;
+ 				}
+ 			} while ( ch != 12 );
+ 
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,15 @@
+Description: fix invalid data read on bpl == -1
+ Issue known as TALOS-2019-0821, or CVE-2019-5052.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
+--- a/IMG_pcx.c	2019-07-23 11:55:37.921487131 -0300
++++ b/IMG_pcx.c	2019-07-23 11:55:46.429453620 -0300
+@@ -148,7 +148,7 @@
+ 		goto done;
+ 
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-	if (bpl > surface->pitch) {
++	if (bpl < 0 || bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
+ 		goto done;
+ 	}
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,65 @@
+Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c)
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49
+--- a/IMG_bmp.c	2019-07-23 11:59:17.032624113 -0300
++++ b/IMG_bmp.c	2019-07-23 12:01:39.804061761 -0300
+@@ -292,6 +292,14 @@
+ 			ExpandBMP = biBitCount;
+ 			biBitCount = 8;
+ 			break;
++		case 2:
++		case 3:
++		case 5:
++		case 6:
++		case 7:
++			IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
++			was_error = SDL_TRUE;
++			goto done;
+ 		default:
+ 			ExpandBMP = 0;
+ 			break;
+@@ -444,7 +452,12 @@
+ 						goto done;
+ 					}
+ 				}
+-				*(bits+i) = (pixel>>shift);
++				bits[i] = (pixel >> shift);
++				if (bits[i] >= biClrUsed) {
++					IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++					was_error = SDL_TRUE;
++					goto done;
++				}
+ 				pixel <<= ExpandBMP;
+ 			} }
+ 			break;
+@@ -456,6 +469,15 @@
+ 				was_error = SDL_TRUE;
+ 				goto done;
+ 			}
++			if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++				for (i = 0; i < surface->w; ++i) {
++					if (bits[i] >= biClrUsed) {
++						IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
++				}
++			}
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ 			/* Byte-swap the pixels if needed. Note that the 24bpp
+ 			   case has already been taken care of above. */
+@@ -650,6 +672,14 @@
+             Bmask = 0x000000FF;
+             ExpandBMP = 0;
+             break;
++        case 2:
++        case 3:
++        case 5:
++        case 6:
++        case 7:
++            SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++            was_error = SDL_TRUE;
++            goto done;
+         default:
+             IMG_SetError("ICO file with unsupported bit count");
+             was_error = SDL_TRUE;
diff -Nru sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch
--- sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,71 @@
+Description: fix multiple OOB issues in IMG_pcx.c
+ This patches addresses following issues: CVE-2019-12222, CVE-2019-12221,
+ CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217.
+Author: Sam Lantinga <slouken@libsdl.org>, Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
+--- a/IMG_pcx.c	2019-07-23 11:56:00.765397153 -0300
++++ b/IMG_pcx.c	2019-07-23 11:51:23.082490857 -0300
+@@ -148,18 +148,17 @@
+ 		goto done;
+ 
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-	if (bpl < 0 || bpl > surface->pitch) {
+-		error = "bytes per line is too large (corrupt?)";
++	buf = (Uint8 *)SDL_calloc(bpl, 1);
++	if ( !buf ) {
++		error = "Out of memory";
+ 		goto done;
+ 	}
+-	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; y<surface->h; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+ 		int i;
+-		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+-			if(!SDL_RWread(src, dst, bpl, 1)) {
++			if(!SDL_RWread(src, buf, bpl, 1)) {
+ 				error = "file truncated";
+ 				goto done;
+ 			}
+@@ -180,7 +179,7 @@
+ 						}
+ 					}
+ 				}
+-				dst[i] = ch;
++				buf[i] = ch;
+ 				count--;
+ 			}
+ 		}
+@@ -202,13 +201,21 @@
+ 					}
+ 				}
+ 			}
++		} else if ( src_bits == 8 ) {
++			/* directly copy buf content to row */
++			Uint8 *innerSrc = buf;
++			int x;
++			Uint8 *dst = row;
++			for ( x = 0; x < width; x++ ) {
++				*dst++ = *innerSrc++;
++			}
+  		} else if(src_bits == 24) {
+ 			/* de-interlace planes */
+ 			Uint8 *src = buf;
+ 			int plane;
+ 			for(plane = 0; plane < pcxh.NPlanes; plane++) {
+ 				int x;
+-				dst = row + plane;
++				Uint8 *dst = row + plane;
+ 				for(x = 0; x < width; x++) {
+ 					if ( dst >= row+surface->pitch ) {
+ 						error = "decoding out of bounds (corrupt?)";
+@@ -218,8 +225,6 @@
+ 					dst += pcxh.NPlanes;
+ 				}
+ 			}
+-		} else {
+-			SDL_memcpy(row, buf, bpl);
+ 		}
+ 
+ 		row += surface->pitch;
diff -Nru sdl-image1.2-1.2.12/debian/patches/series sdl-image1.2-1.2.12/debian/patches/series
--- sdl-image1.2-1.2.12/debian/patches/series	2018-11-04 18:58:30.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/series	2019-08-29 08:51:05.000000000 -0400
@@ -10,3 +10,8 @@
 CVE-2018-3838.patch
 CVE-2018-3839.patch
 CVE-2018-3977.patch
+
+CVE-2019-12218.patch
+CVE-2019-5052.patch
+IMG_pcx-out-of-bounds.patch
+CVE-2019-7635.patch

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---
Reply to: