Debian Bug report logs -
#932754
libsdl2-image: multiple security issues
Reported by: Hugo Lefeuvre <hle@debian.org>
Date: Mon, 22 Jul 2019 18:45:01 UTC
Severity: important
Tags: security, upstream
Found in version libsdl2-image/2.0.4+dfsg1-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#932754
; Package src:libsdl2-image
.
(Mon, 22 Jul 2019 18:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Mon, 22 Jul 2019 18:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: libsdl2-image
Version: 2.0.4+dfsg1-1
Severity: important
Tags: security upstream
Hi,
the following security issues[0] were published for libsdl2-image:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Fixing these issues:
Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").
I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.
If the security team agrees, I will provide targeted fixes for buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#932754
; Package src:libsdl2-image
.
(Mon, 22 Jul 2019 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Mon, 22 Jul 2019 21:51:04 GMT) (full text, mbox, link).
Message #10 received at 932754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Felix,
(CC-ing #932754 which tracks this issue)
> > I have prepared a jessie (LTS) update addressing libsdl2-image's current
> > security issues. I will coordinate with the security team to possibly fix
> > them in a future stretch/buster point update.
> >
> > Are you planning to address these issues in testing? Packaging upstream's
> > latest 2.0.5 release should be sufficient, but they can also be addressed
> > with more targeted fixes.
> >
> > I can provide some help if needed.
>
> Thanks for your work!
>
> I'm preparing a 2.0.5 upload right now.
Great, thanks!
> As far as I can tell all CVEs in the tracker are fixed with 2.0.5.
> Do you agree?
Exactly.
By the way, I had a second look and it appears that CVE-2019-5051 was also
fixed by the jessie LTS upload. CVE-2019-5051 is also a member of the
CVE-2019-12221 family, and is therefore fixed by [0].
cheers,
Hugo
[0] https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jul 23 11:22:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.