Bug#1013306: bullseye-pu: package libsdl2/2.0.14+dfsg2-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org
[ Reason ]
Backport two out-of-bounds reads, one of which has a CVE ID, presumably
because it could be an exploitable vulnerability for games that are
willing to load untrusted graphics data.
The security team marked the CVE as unimportant and didn't open a bug,
so presumably they don't intend to do a DSA.
[ Impact ]
If not approved, SDL games that load untrusted graphics could maybe be
crashed or otherwise interfered with by an attacker.
[ Tests ]
No specific test coverage. From the upstream bug reports, it seems that
these issues are usually only noticeable in practice if SDL is rebuilt
with AddressSanitizer.
The proposed version seems to work OK in brief testing with a few games
(0ad, openarena, warzone2100).
[ Risks ]
Low risk: the patches are trivial and have been in testing since January
without apparent regressions.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
d/p/Fixed-potential-buffer-overflow-in-YUV-conversion.patch,
src/video/yuv2rgb/yuv_rgb.c: ensure that the index in a 512-element
lookup table is clamped to the range 0 to 511 inclusive, even if the input
data is malformed.
d/p/Always-create-a-full-256-entry-map-in-case-color-values-a.patch,
src/video/SDL_pixels.c: always allocate palettes for palette-based formats
with 256 entries and zero out the ones that are not used, so that
out-of-range pixel values resolve to transparent black
(red = green = blue = alpha = 0) instead of causing an out-of-bounds read.
diffstat for libsdl2-2.0.14+dfsg2 libsdl2-2.0.14+dfsg2
debian/changelog | 12 +++
debian/gbp.conf | 1
debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch | 34 ++++++++++
debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch | 23 ++++++
debian/patches/series | 2
src/video/SDL_pixels.c | 4 -
src/video/yuv2rgb/yuv_rgb.c | 2
7 files changed, 75 insertions(+), 3 deletions(-)
diff -Nru libsdl2-2.0.14+dfsg2/debian/changelog libsdl2-2.0.14+dfsg2/debian/changelog
--- libsdl2-2.0.14+dfsg2/debian/changelog 2021-01-18 14:35:30.000000000 +0000
+++ libsdl2-2.0.14+dfsg2/debian/changelog 2022-06-20 22:05:21.000000000 +0100
@@ -1,3 +1,15 @@
+libsdl2 (2.0.14+dfsg2-3+deb11u1) bullseye; urgency=medium
+
+ * d/gbp.conf: Set branch for Debian 11 updates
+ * d/p/Always-create-a-full-256-entry-map-in-case-color-values-a.patch:
+ Avoid out-of-bounds read while loading malformed BMP file.
+ libsdl-org/SDL#5042 upstream, CVE-2021-33657.
+ * d/p/Fixed-potential-buffer-overflow-in-YUV-conversion.patch:
+ Avoid out-of-bounds read during YUV to RGB conversion.
+ libsdl-org/SDL#5043 upstream, no known CVE ID.
+
+ -- Simon McVittie <smcv@debian.org> Mon, 20 Jun 2022 22:05:21 +0100
+
libsdl2 (2.0.14+dfsg2-3) unstable; urgency=medium
* d/libsdl2-2.0-0.symbols: SDL_LinuxSetThreadPriority is Linux-only
diff -Nru libsdl2-2.0.14+dfsg2/debian/gbp.conf libsdl2-2.0.14+dfsg2/debian/gbp.conf
--- libsdl2-2.0.14+dfsg2/debian/gbp.conf 2021-01-18 14:35:30.000000000 +0000
+++ libsdl2-2.0.14+dfsg2/debian/gbp.conf 2022-06-20 22:05:21.000000000 +0100
@@ -1,6 +1,7 @@
[DEFAULT]
pristine-tar = True
sign-tags = True
+debian-branch = debian/bullseye
[import-orig]
filter = [ 'Android.mk', 'android-project', 'debian', 'src/hidapi/android', 'src/hidapi/ios', 'src/hidapi/linux/hid.cpp', 'src/hidapi/mac', 'src/hidapi/testgui', 'src/hidapi/windows', 'src/render/metal/SDL_shaders_metal_*.h', 'src/video/os2/my_gradd.h', 'VisualC', 'VisualC-WinRT', 'Xcode', 'Xcode-iOS' ]
diff -Nru libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch
--- libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch 2022-06-20 22:05:21.000000000 +0100
@@ -0,0 +1,34 @@
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 12:36:46 -0800
+Subject: Always create a full 256-entry map in case color values are out of
+ range
+
+Bug: https://github.com/libsdl-org/SDL/issues/5042
+Bug-CVE: CVE-2021-33657
+Origin: upstream, 2.0.20, commit:8c91cf7dba5193f5ce12d06db1336515851c9ee9
+---
+ src/video/SDL_pixels.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index 84b6932..c27dc6f 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
+ }
+ *identical = 0;
+ }
+- map = (Uint8 *) SDL_malloc(src->ncolors);
++ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
+ if (map == NULL) {
+ SDL_OutOfMemory();
+ return (NULL);
+@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
+ SDL_Palette *pal = src->palette;
+
+ bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
+- map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
++ map = (Uint8 *) SDL_calloc(256, bpp);
+ if (map == NULL) {
+ SDL_OutOfMemory();
+ return (NULL);
diff -Nru libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch
--- libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch 1970-01-01 01:00:00.000000000 +0100
+++ libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch 2022-06-20 22:05:21.000000000 +0100
@@ -0,0 +1,23 @@
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 10:23:21 -0800
+Subject: Fixed potential buffer overflow in YUV conversion
+
+Bug: https://github.com/libsdl-org/SDL/issues/5043
+Origin: upstream, 2.0.20, commit:8589134f160a9d0898a2f3bdf87300837be4367d
+---
+ src/video/yuv2rgb/yuv_rgb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/video/yuv2rgb/yuv_rgb.c b/src/video/yuv2rgb/yuv_rgb.c
+index 6e821a8..7908b8c 100644
+--- a/src/video/yuv2rgb/yuv_rgb.c
++++ b/src/video/yuv2rgb/yuv_rgb.c
+@@ -91,7 +91,7 @@ static uint8_t clampU8(int32_t v)
+ 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,
+ 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255
+ };
+- return lut[(v+128*PRECISION_FACTOR)>>PRECISION];
++ return lut[((v+128*PRECISION_FACTOR)>>PRECISION)&511];
+ }
+
+
diff -Nru libsdl2-2.0.14+dfsg2/debian/patches/series libsdl2-2.0.14+dfsg2/debian/patches/series
--- libsdl2-2.0.14+dfsg2/debian/patches/series 2021-01-18 14:35:30.000000000 +0000
+++ libsdl2-2.0.14+dfsg2/debian/patches/series 2022-06-20 22:05:21.000000000 +0100
@@ -2,3 +2,5 @@
waylandtouch-Don-t-export-interface-structs.patch
Add-a-make-install-target-for-the-tests.patch
no-libdir.patch
+Always-create-a-full-256-entry-map-in-case-color-values-a.patch
+Fixed-potential-buffer-overflow-in-YUV-conversion.patch
diff -Nru libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c
--- libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c 2020-12-21 17:44:36.000000000 +0000
+++ libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c 2022-06-21 10:54:32.000000000 +0100
@@ -947,7 +947,7 @@
}
*identical = 0;
}
- map = (Uint8 *) SDL_malloc(src->ncolors);
+ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
if (map == NULL) {
SDL_OutOfMemory();
return (NULL);
@@ -971,7 +971,7 @@
SDL_Palette *pal = src->palette;
bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
- map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
+ map = (Uint8 *) SDL_calloc(256, bpp);
if (map == NULL) {
SDL_OutOfMemory();
return (NULL);
diff -Nru libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c
--- libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c 2020-12-21 17:44:36.000000000 +0000
+++ libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c 2022-06-21 10:54:32.000000000 +0100
@@ -91,7 +91,7 @@
255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,
255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255
};
- return lut[(v+128*PRECISION_FACTOR)>>PRECISION];
+ return lut[((v+128*PRECISION_FACTOR)>>PRECISION)&511];
}
Reply to: