Debian Bug report logs -
#878264
libsdl2: CVE-2017-2888: Integer overflow while creating a new RGB surface
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#878264; Package src:libsdl2.
(Wed, 11 Oct 2017 21:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Wed, 11 Oct 2017 21:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsdl2
Version: 2.0.6+dfsg1-2
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for libsdl2.
CVE-2017-2888[0]:
| An exploitable integer overflow vulnerability exists when creating a
| new RGB Surface in SDL 2.0.5. A specially crafted file can cause an
| integer overflow resulting in too little memory being allocated which
| can lead to a buffer overflow and potential code execution. An
| attacker can provide a specially crafted image file to trigger this
| vulnerability.
Upstream patch seem to be [1], but please note that this might not be
enough, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 .
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2888
[1] http://hg.libsdl.org/SDL/rev/7e0f1498ddb5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libsdl2/2.0.2+dfsg1-6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Oct 2017 21:24:17 GMT) (full text, mbox, link).
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Thu, 12 Oct 2017 17:36:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 12 Oct 2017 17:36:06 GMT) (full text, mbox, link).
Message #12 received at 878264-close@bugs.debian.org (full text, mbox, reply):
Source: libsdl2
Source-Version: 2.0.6+dfsg1-3
We believe that the bug you reported is fixed in the latest version of
libsdl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878264@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated libsdl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Oct 2017 18:33:41 +0200
Source: libsdl2
Binary: libsdl2-2.0-0 libsdl2-dev libsdl2-doc
Architecture: source
Version: 2.0.6+dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libsdl2-2.0-0 - Simple DirectMedia Layer
libsdl2-dev - Simple DirectMedia Layer development files
libsdl2-doc - Reference manual for libsdl2
Closes: 878264
Changes:
libsdl2 (2.0.6+dfsg1-3) unstable; urgency=high
.
[ Gianfranco Costamagna ]
* debian/patches/dc7245e3d1f2.patch:
- backport upstream fix for dbus error.
LP: #1721907
thanks LGB [Gábor Lénárt] (lgb) for the report!
.
[ Felix Geyer ]
* Fix CVE-2017-2888: Integer overflow while creating a new RGB surface.
- Add d/patches/CVE-2017-2888.patch
- Closes: #878264
* Enable verbose build logs.
Checksums-Sha1:
d423d36348331f8e1e07fd75fd2b5b4effba6f3b 2704 libsdl2_2.0.6+dfsg1-3.dsc
69f253f92a449e70d746b93203cb71a32a46912b 15844 libsdl2_2.0.6+dfsg1-3.debian.tar.xz
Checksums-Sha256:
f61f057fef67a71d0ec116a1d242f7f7aa1f3284e50bb4e9a6b652be7eca251f 2704 libsdl2_2.0.6+dfsg1-3.dsc
30a90ea01bd39ad2178f2455f72d9be8c564d362b1eaa3a9b14d2cef9aa3f3f0 15844 libsdl2_2.0.6+dfsg1-3.debian.tar.xz
Files:
84352054b265da667eb5685ab9a26a36 2704 libs optional libsdl2_2.0.6+dfsg1-3.dsc
61ad65f248d4b39954a951c70033bf60 15844 libs optional libsdl2_2.0.6+dfsg1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnfpi4ACgkQ/iLG/YMT
XUURZQ/+Nib/8NDfiYvTTR9YnUJqhGSHXwvDbTSRbHAzAoJa49ON4lGGxZ7k9Y+y
FMZc5GPH1K6f5Fu84ALFgcCraBncaOaeGOVjKL3hofgjcJ9BGFgCKyRNNKDOzU+y
yCxbKu+zuNnSVvDeI0ZdNDzc2I1d12ZwFVXQtYFxAMJUz06MXp9gU1pajgDgQqXi
XJq396RZvubYrf/2BLsQBbREv8bKqIGrDUd+zm7z0c7Eu3oGjpZjh4T0iKhosr56
gJISSzTHc8m38BUHwmnS2SCheA6cLsNtMtS9u1MTe4U6zDWxfl4Gx7lppia+Qo9z
6PZM5EbHV+PpyEq8DyR/OhCtdGhlhpwqL7xXuVxB13Sni3sRtnlzpJqD1n+Vp9mx
cK3rDjAtJYtfvhTZl13AFNv1ciVosPYpEdB2xhEAShe1bCc2JgreVripuCsBzKSt
N3bTyXXiQtDMG25kgCZss5jN3VfTfa2W/Qq777zPKly6ODWsBm152uh4br/mLK8q
EgpQGSpTwg40DnLfr6Qc0sOi2YNrH8DyiWty54xywjxZSkiPDefKxKy3g69xHm+7
bQ/4QE4LO8Nt5oLAP845zlZKJooU29XOUcrtUu9CuskF0/dmFdwyGAFmRCmhOB2T
FxyZm5cpHPU3g2JpWd/fhpnkZfMyjm+Dt0LT9Xos7S18SYILKKQ=
=Dmbb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#878264; Package src:libsdl2.
(Thu, 12 Oct 2017 17:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Thu, 12 Oct 2017 17:57:02 GMT) (full text, mbox, link).
Message #17 received at 878264@bugs.debian.org (full text, mbox, reply):
Control: reopen -1
On 12.10.2017 19:36, Debian Bug Tracking System wrote:
> Upstream patch seem to be [1], but please note that this might not be
> enough, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 .
Sorry I missed this, reopening the bug.
Felix
Bug reopened
Request was from Felix Geyer <fgeyer@debian.org>
to 878264-submit@bugs.debian.org.
(Thu, 12 Oct 2017 17:57:02 GMT) (full text, mbox, link).
No longer marked as fixed in versions libsdl2/2.0.6+dfsg1-3.
Request was from Felix Geyer <fgeyer@debian.org>
to 878264-submit@bugs.debian.org.
(Thu, 12 Oct 2017 17:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#878264; Package src:libsdl2.
(Thu, 12 Oct 2017 21:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Thu, 12 Oct 2017 21:09:03 GMT) (full text, mbox, link).
Message #26 received at 878264@bugs.debian.org (full text, mbox, reply):
Hi Felix,
On Thu, Oct 12, 2017 at 07:38:16PM +0200, Felix Geyer wrote:
> Control: reopen -1
>
> On 12.10.2017 19:36, Debian Bug Tracking System wrote:
> > Upstream patch seem to be [1], but please note that this might not be
> > enough, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 .
>
> Sorry I missed this, reopening the bug.
No problem! Thanks for looking at the issue.
Would the _builtin_mul_overflow approach work for us?
Regards,
Salvatore
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Wed, 18 Oct 2017 21:12:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 18 Oct 2017 21:12:17 GMT) (full text, mbox, link).
Message #33 received at 878264-close@bugs.debian.org (full text, mbox, reply):
Source: libsdl2
Source-Version: 2.0.6+dfsg1-4
We believe that the bug you reported is fixed in the latest version of
libsdl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878264@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated libsdl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Oct 2017 21:36:23 +0200
Source: libsdl2
Binary: libsdl2-2.0-0 libsdl2-dev libsdl2-doc
Architecture: source
Version: 2.0.6+dfsg1-4
Distribution: unstable
Urgency: high
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libsdl2-2.0-0 - Simple DirectMedia Layer
libsdl2-dev - Simple DirectMedia Layer development files
libsdl2-doc - Reference manual for libsdl2
Closes: 878264
Changes:
libsdl2 (2.0.6+dfsg1-4) unstable; urgency=high
.
* Import further upstream patches for CVE-2017-2888.
The initial fix was incomplete. (Closes: #878264)
- d/patches/CVE-2017-2888-1.patch
- d/patches/CVE-2017-2888-2.patch
- d/patches/CVE-2017-2888-3.patch
Checksums-Sha1:
abc8dff8b3eb8a17a7207d7b9970583b25066d10 2704 libsdl2_2.0.6+dfsg1-4.dsc
83b7cd915888dcdd78294de40f8b0dc146fa385c 17208 libsdl2_2.0.6+dfsg1-4.debian.tar.xz
Checksums-Sha256:
2235c5b3d41ed91fc00c672efc943bcc368f0f948be85b2e2dfb63f7be99bee0 2704 libsdl2_2.0.6+dfsg1-4.dsc
ea496af5d01fb39857468eac23ba2fc23389b6bd3400e363933a8af4cc405507 17208 libsdl2_2.0.6+dfsg1-4.debian.tar.xz
Files:
5e9acab97d7e2942f6f1852614e3ae65 2704 libs optional libsdl2_2.0.6+dfsg1-4.dsc
cdd872476779759cecc3755f17700aee 17208 libs optional libsdl2_2.0.6+dfsg1-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnnsBYACgkQ/iLG/YMT
XUVy5Q//Xr7+AkC+kY4z8pVoj+d+WGbQWMI7zxXA8eV3hgBsqdIDcmPujj10T+Gj
P2lFozBIAyeUTLNWJHQxE0hQeFFJpCprCDD7LfF6NIofGZGr+CG7LdDtWNApuRJw
tBBOMd3RWnW5ecv9gOdYFkp7eeZqqJ0vT311dXkQfcyJ/wAspI/e1lLaghDrjUx1
VoBA8r3RAXVReU/N2Vt8lvPdarYzwlJOKTVt1+/MWyUCew4TzmSDr3uOWS3X6E09
gxtp/RazjmS2pG1YAzIZ/CQXxcxDGP+ayVSP8/Jbz6PNzJeCeDO4Eqg+fpHWQpK0
kyNoKX5StdxFWIe1G1yyf0UtbFL2tw7BImqG1kDyOGx7eg/Ex/O6lmV9Pq0ssKFL
+PvjF9vsz8BDMqTdpBUo5Nj3nTqkQBbwJH+7g73FOiLVfXaZhYq3i/rqHxy5UkVS
4wFb9ixZKaard6ftjZZ5cQ81vi90U5U8h7DLrGWHNfU99VSC2FSnSvh4Xvu200gZ
zmf2jv2UO3e8vlOJEKydj7nGLZAkygfr6n+M4KBrzrI76O7u5Eidu8QBjv098vk6
2qVIUyBAS1Xkia2tcehJ+UG0Fc89xCX7uuLmUswvCc4lfJoUCfaMIh/Eoq7dD9H6
ZTxO4sGnbDleOZctkfobqIdFCTFV+r5g9lZtRj+Ao/MepACIkzM=
=IcvU
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:57:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon