Hi Salvatore,
> Maybe I'm missing something but but please double check. Can it be
> that the stretch-pu upload contains the fix
> https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842
> but the buster-pu one missed it? (Note this has a new CVE assigned
> CVE-2019-5058, the change afaics is included in your stretch-pu
> debdiff, is this right? but not in the buster-pu one?)
Thanks for catching this. The situation is quite messy, so I will try to
summarize it in a few words.
CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This
vulnerabilitity was "fixed" via [0], however the fix is broken (the check
should be done for y, not ty). Talos decided to report the remaining issue
as a separate vulnerability, TALOS-2019-0842, which was recently assigned
CVE-2019-5058. It was fixed via [1].
CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just
CVE-2018-3977 which wasn't fixed properly.
Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware
that the initial patch was broken (see stretch patch descriptions), I
failed to handle this properly in the buster version.
As far as I remember, I did not upload this diff yet. I'll just provide an
updated version asap. I will also update the testing NMU[2], which I
fortunately did not upload yet.
Thanks again!
regards,
Hugo
[0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
[1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature