Your message dated Sat, 07 Sep 2019 14:34:49 +0100 with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes including in 10.1 point release has caused the Debian Bug report #936056, regarding buster-pu: package sdl-image1.2/1.2.12-10+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 936056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936056 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package sdl-image1.2/1.2.12-10+deb10u1
- From: Hugo Lefeuvre <hle@debian.org>
- Date: Thu, 29 Aug 2019 09:45:52 -0400
- Message-id: <20190829134552.eprvw355atm7etfe@behemoth.owl.eu.com.local>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-CC: team@security.debian.org Hi, sdl-image1.2 is affected by a number of security issues in buster. Impact is quite minor, but it would still be nice to get them fixed. Attached is a debdiff addressing most of them for buster. libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been accepted in stretch-pu and buster-pu, those are the same issues and the same patches. (I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2 at the same time, but for a number of reasons sdl-image1.2 was delayed) This is essentially the same update as 1.2.12-5+deb9u2, see #936051. thanks! cheers, Hugo -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4Cdiff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog --- sdl-image1.2-1.2.12/debian/changelog 2018-11-04 18:58:30.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:51:05.000000000 -0400 @@ -1,3 +1,17 @@ +sdl-image1.2 (1.2.12-10+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2019-5058: Fix CVE-2018-3977.patch from previous upload: check should + be done for y, not ty (Closes: #932755). + * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. + * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). + * CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre <hle@debian.org> Thu, 29 Aug 2019 08:51:05 -0400 + sdl-image1.2 (1.2.12-10) unstable; urgency=medium * Non-maintainer upload with permission of maintainers. diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2018-11-04 18:58:30.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:51:05.000000000 -0400 @@ -9,15 +9,13 @@ IMG_xcf.c | 3 +++ 1 file changed, 3 insertions(+) -diff --git a/IMG_xcf.c b/IMG_xcf.c -index 064e641..93b6929 100644 ---- a/IMG_xcf.c -+++ b/IMG_xcf.c -@@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header +--- a/IMG_xcf.c 2019-08-29 09:34:10.888355386 -0400 ++++ b/IMG_xcf.c 2019-08-29 09:34:37.702747635 -0400 +@@ -634,6 +634,9 @@ p16 = (Uint16 *) p8; p = (Uint32 *) p8; for (y=ty; y < ty+oy; y++) { -+ if ((ty >= surface->h) || ((tx+ox) > surface->w)) { ++ if ((y >= surface->h) || ((tx+ox) > surface->w)) { + break; + } row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:49:56.000000000 -0400 @@ -0,0 +1,83 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga <slouken@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300 +@@ -100,6 +100,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++ int count = 0; ++ Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -148,14 +150,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++ goto done; + } +- buf = calloc(SDL_max(bpl, surface->pitch), 1); ++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ +- int i, count = 0; +- Uint8 ch; +- Uint8 *dst = (src_bits == 8) ? row : buf; ++ int i; ++ Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -168,14 +170,15 @@ + error = "file truncated"; + goto done; + } +- if( (ch & 0xc0) == 0xc0) { +- count = ch & 0x3f; ++ if( ch < 0xc0) { ++ count = 1; ++ } else { ++ count = ch - 0xc0; + if(!SDL_RWread(src, &ch, 1, 1)) { + error = "file truncated"; + goto done; + } +- } else +- count = 1; ++ } + } + dst[i] = ch; + count--; +@@ -207,10 +210,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++ if ( dst >= row+surface->pitch ) { ++ error = "decoding out of bounds (corrupt?)"; ++ goto done; ++ } + *dst = *src++; + dst += pcxh.NPlanes; + } + } ++ } else { ++ SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -227,8 +236,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, &ch, 1, 1)) { +- error = "file truncated"; +- goto done; ++ /* Couldn't find the palette, try the end of the file */ ++ SDL_RWseek(src, -768, RW_SEEK_END); ++ break; + } + } while ( ch != 12 ); + diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 2019-08-29 08:49:56.000000000 -0400 @@ -0,0 +1,15 @@ +Description: fix invalid data read on bpl == -1 + Issue known as TALOS-2019-0821, or CVE-2019-5052. +Author: Sam Lantinga <slouken@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 +--- a/IMG_pcx.c 2019-07-23 11:55:37.921487131 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:55:46.429453620 -0300 +@@ -148,7 +148,7 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl > surface->pitch) { ++ if (bpl < 0 || bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; + goto done; + } diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 2019-08-29 08:49:56.000000000 -0400 @@ -0,0 +1,65 @@ +Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) +Author: Sam Lantinga <slouken@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 +--- a/IMG_bmp.c 2019-07-23 11:59:17.032624113 -0300 ++++ b/IMG_bmp.c 2019-07-23 12:01:39.804061761 -0300 +@@ -292,6 +292,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ IMG_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -444,7 +452,12 @@ + goto done; + } + } +- *(bits+i) = (pixel>>shift); ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + pixel <<= ExpandBMP; + } } + break; +@@ -456,6 +469,15 @@ + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +@@ -650,6 +672,14 @@ + Bmask = 0x000000FF; + ExpandBMP = 0; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + IMG_SetError("ICO file with unsupported bit count"); + was_error = SDL_TRUE; diff -Nru sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch --- sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 1969-12-31 19:00:00.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 2019-08-29 08:49:56.000000000 -0400 @@ -0,0 +1,71 @@ +Description: fix multiple OOB issues in IMG_pcx.c + This patches addresses following issues: CVE-2019-12222, CVE-2019-12221, + CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217. +Author: Sam Lantinga <slouken@libsdl.org>, Hugo Lefeuvre <hle@debian.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 +--- a/IMG_pcx.c 2019-07-23 11:56:00.765397153 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:51:23.082490857 -0300 +@@ -148,18 +148,17 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl < 0 || bpl > surface->pitch) { +- error = "bytes per line is too large (corrupt?)"; ++ buf = (Uint8 *)SDL_calloc(bpl, 1); ++ if ( !buf ) { ++ error = "Out of memory"; + goto done; + } +- buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ + int i; +- Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { +- if(!SDL_RWread(src, dst, bpl, 1)) { ++ if(!SDL_RWread(src, buf, bpl, 1)) { + error = "file truncated"; + goto done; + } +@@ -180,7 +179,7 @@ + } + } + } +- dst[i] = ch; ++ buf[i] = ch; + count--; + } + } +@@ -202,13 +201,21 @@ + } + } + } ++ } else if ( src_bits == 8 ) { ++ /* directly copy buf content to row */ ++ Uint8 *innerSrc = buf; ++ int x; ++ Uint8 *dst = row; ++ for ( x = 0; x < width; x++ ) { ++ *dst++ = *innerSrc++; ++ } + } else if(src_bits == 24) { + /* de-interlace planes */ + Uint8 *src = buf; + int plane; + for(plane = 0; plane < pcxh.NPlanes; plane++) { + int x; +- dst = row + plane; ++ Uint8 *dst = row + plane; + for(x = 0; x < width; x++) { + if ( dst >= row+surface->pitch ) { + error = "decoding out of bounds (corrupt?)"; +@@ -218,8 +225,6 @@ + dst += pcxh.NPlanes; + } + } +- } else { +- SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; diff -Nru sdl-image1.2-1.2.12/debian/patches/series sdl-image1.2-1.2.12/debian/patches/series --- sdl-image1.2-1.2.12/debian/patches/series 2018-11-04 18:58:30.000000000 -0500 +++ sdl-image1.2-1.2.12/debian/patches/series 2019-08-29 08:51:05.000000000 -0400 @@ -10,3 +10,8 @@ CVE-2018-3838.patch CVE-2018-3839.patch CVE-2018-3977.patch + +CVE-2019-12218.patch +CVE-2019-5052.patch +IMG_pcx-out-of-bounds.patch +CVE-2019-7635.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 930795-done@bugs.debian.org, 931126-done@bugs.debian.org, 931198-done@bugs.debian.org, 931199-done@bugs.debian.org, 931358-done@bugs.debian.org, 931596-done@bugs.debian.org, 931608-done@bugs.debian.org, 931615-done@bugs.debian.org, 931616-done@bugs.debian.org, 931724-done@bugs.debian.org, 931817-done@bugs.debian.org, 931967-done@bugs.debian.org, 932009-done@bugs.debian.org, 932030-done@bugs.debian.org, 932069-done@bugs.debian.org, 932111-done@bugs.debian.org, 932193-done@bugs.debian.org, 932318-done@bugs.debian.org, 932335-done@bugs.debian.org, 932441-done@bugs.debian.org, 932448-done@bugs.debian.org, 932518-done@bugs.debian.org, 932522-done@bugs.debian.org, 932588-done@bugs.debian.org, 932606-done@bugs.debian.org, 932684-done@bugs.debian.org, 932790-done@bugs.debian.org, 932945-done@bugs.debian.org, 933036-done@bugs.debian.org, 933125-done@bugs.debian.org, 933147-done@bugs.debian.org, 933175-done@bugs.debian.org, 933369-done@bugs.debian.org, 933379-done@bugs.debian.org, 933392-done@bugs.debian.org, 933535-done@bugs.debian.org, 933754-done@bugs.debian.org, 933764-done@bugs.debian.org, 933769-done@bugs.debian.org, 933787-done@bugs.debian.org, 933899-done@bugs.debian.org, 933911-done@bugs.debian.org, 933976-done@bugs.debian.org, 934094-done@bugs.debian.org, 934163-done@bugs.debian.org, 934183-done@bugs.debian.org, 934308-done@bugs.debian.org, 934311-done@bugs.debian.org, 934329-done@bugs.debian.org, 934343-done@bugs.debian.org, 934345-done@bugs.debian.org, 934507-done@bugs.debian.org, 934537-done@bugs.debian.org, 934650-done@bugs.debian.org, 934689-done@bugs.debian.org, 934704-done@bugs.debian.org, 934826-done@bugs.debian.org, 934827-done@bugs.debian.org, 934928-done@bugs.debian.org, 934934-done@bugs.debian.org, 934956-done@bugs.debian.org, 935137-done@bugs.debian.org, 935165-done@bugs.debian.org, 935200-done@bugs.debian.org, 935253-done@bugs.debian.org, 935261-done@bugs.debian.org, 935265-done@bugs.debian.org, 935308-done@bugs.debian.org, 935370-done@bugs.debian.org, 935386-done@bugs.debian.org, 935411-done@bugs.debian.org, 935465-done@bugs.debian.org, 935474-done@bugs.debian.org, 935479-done@bugs.debian.org, 935480-done@bugs.debian.org, 935576-done@bugs.debian.org, 935583-done@bugs.debian.org, 935704-done@bugs.debian.org, 935707-done@bugs.debian.org, 935719-done@bugs.debian.org, 935746-done@bugs.debian.org, 935770-done@bugs.debian.org, 935776-done@bugs.debian.org, 935809-done@bugs.debian.org, 935815-done@bugs.debian.org, 935827-done@bugs.debian.org, 935888-done@bugs.debian.org, 935957-done@bugs.debian.org, 935988-done@bugs.debian.org, 936022-done@bugs.debian.org, 936056-done@bugs.debian.org, 938954-done@bugs.debian.org, 938975-done@bugs.debian.org, 939019-done@bugs.debian.org
- Cc: 935588@bugs.debian.org
- Subject: Closing bugs for fixes including in 10.1 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Sep 2019 14:34:49 +0100
- Message-id: <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
Version: 10.1 Hi, The fixes referenced by each of these bugs were included in today's buster point release. Regards, Adam
--- End Message ---