Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1

To: Hugo Lefeuvre <hle@debian.org>, 933147@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 5 Aug 2019 21:39:49 +0200
Message-id: <[🔎] 20190805193949.GA29593@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 933147@bugs.debian.org
In-reply-to: <[🔎] 20190805062800.GA2275@behemoth.owl.eu.com.local>
References: <20190726215313.GA5531@behemoth.owl.eu.com.local> <[🔎] 20190804191221.GA7160@eldamar.local> <20190726215313.GA5531@behemoth.owl.eu.com.local> <[🔎] 20190805062800.GA2275@behemoth.owl.eu.com.local> <20190726215313.GA5531@behemoth.owl.eu.com.local>

Hi Hugo,

On Mon, Aug 05, 2019 at 08:28:00AM +0200, Hugo Lefeuvre wrote:
> Hi Salvatore,
> 
> > Maybe I'm missing something but but please double check. Can it be
> > that the stretch-pu upload contains the fix
> > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842
> > but the buster-pu one missed it? (Note this has a new CVE assigned
> > CVE-2019-5058, the change afaics is included in your stretch-pu
> > debdiff, is this right? but not in the buster-pu one?)
> 
> Thanks for catching this. The situation is quite messy, so I will try to
> summarize it in a few words.
> 
> CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This
> vulnerabilitity was "fixed" via [0], however the fix is broken (the check
> should be done for y, not ty). Talos decided to report the remaining issue
> as a separate vulnerability, TALOS-2019-0842, which was recently assigned
> CVE-2019-5058. It was fixed via [1].
> 
> CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just
> CVE-2018-3977 which wasn't fixed properly.

Ack, thanks for summarizing the situation.

> Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware
> that the initial patch was broken (see stretch patch descriptions), I
> failed to handle this properly in the buster version.
> 
> As far as I remember, I did not upload this diff yet. I'll just provide an
> updated version asap. I will also update the testing NMU[2], which I
> fortunately did not upload yet.

Perfect, thank you for that!

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
  - From: Hugo Lefeuvre <hle@debian.org>

References:
- Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
  - From: Hugo Lefeuvre <hle@debian.org>

Prev by Date: Bug#933986: nmu: pygalmesh_0.3.6-1
Next by Date: Bug#933984: RM: pyramid-beaker/0.6.1+ds1-1 -- RoM; no Py3 and no revdeps
Previous by thread: Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Next by thread: Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Index(es):
- Date
- Thread