libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Debian Bug report logs - #912617
libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Thu, 01 Nov 2018 22:47:20 +0100

Source: libsdl2-image
Version: 2.0.3+dfsg1-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2.0.1+dfsg-1
Control: found -1 2.0.1+dfsg-2+deb9u1
Control: clone -1 -2
Control: retitle -2 sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability
Control: reassign -2 src:sdl-image1.2 1.2.12-9
Control: found -2 1.2.12-5
Control: found -2 1.2.12-5+deb9u1

Hi,

The following vulnerability was published for libsdl2-image.

CVE-2018-3977[0]:
| An exploitable code execution vulnerability exists in the XCF image
| rendering functionality of SDL2_image-2.0.3. A specially crafted XCF
| image can cause a heap overflow, resulting in code execution. An
| attacker can display a specially crafted image to trigger this
| vulnerability.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-3977
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3977
[1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645
[2] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #16 received at 912617@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 912617@bugs.debian.org, 912618@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Sun, 04 Nov 2018 09:44:36 -0500

[Message part 1 (text/plain, inline)]

Hi SDL maintainers & security team,

> libsdl2-image: CVE-2018-3977: do_layer_surface code execution
> vulnerability

The attached patches apply cleanly to jessie, stretch and sid
respectfully. (Looks like they reformatted their code later on.)

I am happy to upload handle jessie, but I can also work on the
stable/sid releases too if you wish; please let me know.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[CVE-2018-3977_stretch.patch (text/x-patch, attachment)]

[CVE-2018-3977_sid.patch (text/x-patch, attachment)]

[CVE-2018-3977_jessie.patch (text/x-patch, attachment)]

Message #21 received at 912617@bugs.debian.org (full text, mbox, reply):

From: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>

To: Chris Lamb <lamby@debian.org>, 912617@bugs.debian.org

Cc: 912618@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Sun, 4 Nov 2018 16:24:58 +0100

Hi Chris,

Em dom, 4 de nov de 2018 às 15:48, Chris Lamb <lamby@debian.org> escreveu:
>
> Hi SDL maintainers & security team,
>
> > libsdl2-image: CVE-2018-3977: do_layer_surface code execution
> > vulnerability
>
> The attached patches apply cleanly to jessie, stretch and sid
> respectfully. (Looks like they reformatted their code later on.)
>
> I am happy to upload handle jessie, but I can also work on the
> stable/sid releases too if you wish; please let me know.

I am enjoying a kind of a "long weekend" / mini-holidays, could not
work on it so far and will not at least for another 3 or 4 days, and
since the rest of the team did not reply to the original report I
suppose that it's better that you go ahead unless they reply between
now and you reading this e-mail.

Thanks the several people involved in the work, both for the report
and patches and offer to fix!


Cheers.
-- 
Manuel A. Fernandez Montecelo <manuel.montezelo@gmail.com>

Message #26 received at 912617@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>, 912617@bugs.debian.org

Cc: 912618@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Sun, 04 Nov 2018 11:28:07 -0500

Hi Manuel,

> I suppose that it's better that you go ahead unless they reply
> between now and you reading this e-mail.

Sure. From this I will go ahead and upload to sid. I've requested
access to the Salsa group so I can push my changes.

(I still await the Security Team on stable.)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #31 received at 912617@bugs.debian.org (full text, mbox, reply):

From: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>

To: Chris Lamb <lamby@debian.org>

Cc: 912617@bugs.debian.org, 912618@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Sun, 4 Nov 2018 23:21:21 +0100

Hi,

Em dom, 4 de nov de 2018 às 17:28, Chris Lamb <lamby@debian.org> escreveu:
>
> > I suppose that it's better that you go ahead unless they reply
> > between now and you reading this e-mail.
>
> Sure. From this I will go ahead and upload to sid. I've requested
> access to the Salsa group so I can push my changes.

I was planning to gbp-import-dsc, but if you prefer I'll grant you access, sure.


> (I still await the Security Team on stable.)

OK, if you need any help please tell.  I might not be around much in
the next days, but I will try to be responsive.


Cheers.
-- 
Manuel A. Fernandez Montecelo <manuel.montezelo@gmail.com>

Message #36 received at 912617-close@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 912617-close@bugs.debian.org

Subject: Bug#912617: fixed in libsdl2-image 2.0.3+dfsg1-3

Date: Mon, 05 Nov 2018 00:04:52 +0000

Source: libsdl2-image
Source-Version: 2.0.3+dfsg1-3

We believe that the bug you reported is fixed in the latest version of
libsdl2-image, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912617@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated libsdl2-image package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Nov 2018 23:34:39 +0000
Source: libsdl2-image
Binary: libsdl2-image-2.0-0 libsdl2-image-dev
Architecture: source amd64
Version: 2.0.3+dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
 libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, libraries
 libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, development
Closes: 912617
Changes:
 libsdl2-image (2.0.3+dfsg1-3) unstable; urgency=high
 .
   * Non-maintainer upload with permission of maintainers.
   * CVE-2018-3977: Prevent a potential buffer overflow on a corrupt or
     maliciously-crafted XCF file. (Closes: #912617)
Checksums-Sha1:
 adcfc9edb0efb92bd0ecaa0b48b022e761dc4886 2241 libsdl2-image_2.0.3+dfsg1-3.dsc
 47cdb38514bb6039c20c6e7f93444f1f326d560a 4992 libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz
 c69eb4ad648ed6bcae8ac1ea68805c1c004df4e0 193776 libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb
 3d7cd8e7acfec5f5872371b4c3b66f01fc85045c 66236 libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb
 2086ff3f43bc31d8aebc433441af2af764d2877f 73176 libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb
 1cab23fc273437a90ff11cd400348f76f244371a 11392 libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo
Checksums-Sha256:
 231a5a5e9f5e74b74af92d0cdf5ee830f72ea3537d550b21e21f93cac7f19965 2241 libsdl2-image_2.0.3+dfsg1-3.dsc
 23c511213707b03442139d19ce897bbec3a81032ee78ce7bd328fcd1390412be 4992 libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz
 993f4719cf228f0d57aac0eaa1a8c94e7572e2cd18fdfe6703e594bcba25e6f0 193776 libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb
 e651fac15522108a6fa7f766bb327cc32d7b787c5629140ff9030165f995e5a8 66236 libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb
 1dc77b96e213017de84fef56d5bb40c5f6c38cb0c64e547d0727c2dea4797bea 73176 libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb
 5f76fe57429d8428fb92b7234c1b5b7879cff10dfaf8a2ab1a8065c09fd8e364 11392 libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo
Files:
 0e204da224460694c8462cc1a1046f33 2241 libs optional libsdl2-image_2.0.3+dfsg1-3.dsc
 74a806cce442b1ec3ec46bf75dd2beb5 4992 libs optional libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz
 5f14f8df2e608dfa30475051f176aa55 193776 debug optional libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb
 7622aef5fcce76de7f7c52d67427c4d2 66236 libs optional libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb
 4a2845ad3d9cc8795861b7e54bea478a 73176 libdevel optional libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb
 429349a36db1fd38510dccbc422fd9f6 11392 libs optional libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvfhZwACgkQHpU+J9Qx
HlhIuA/+I2WyVltpzYMUuyryvZ/AL7YYu1QdK/vAQ3wDKnNMtJKLCzYNlu/uJ47X
qLASH+B03L2qfJQgqeE+4B1gECkn/jgWb7+iUtetAVHnC5ItP4IgfwBCpirRdxKe
keEsSl3ho0A/kyYGnxjQDPfYyc1Fv8ZHcvAPb4x9GW7b7TLiAxUsOG1ovfeGiIXc
bbug9dsbQ1iNh/J31vmkraDYH8vsbOGpNS/yZRp2tTxhLNrxfLwQ0KoBKH0sQMJP
eKpe2ROK04l+72HXjkoHivIQuGnsdwVTLUHBmKh5VqDLhzq6hbT7UqGF3PDRqNZF
dwRPXgc6co7cM/uLYmh4Pd0HI7iaHt8lOT6r/ZYEjoYftqWVbo05NAwDa8BjIeWS
UcirSLZwUTXHoxwpoTWOWuZKq8DJNZe9V8b5yr6qub54QNTPexjXBHBtwEg2jiWn
rliRgQxXEPHkNWPxmvyfos/7Cgja6ztFJctdiWYKUM6zFQg25OwmopJ5goVvx3+a
lxA734o6cfXCNwDW0SoRb1z12wUIOqJQdMs7pu1lcx9/xWPQMa3imauT7GusjQx3
dErSP332EZqIAtE3DfLQEZQxpdht1cZxdqP6gyro4A0nQTPtqf337Bn3ZqY0pv4c
F/pYyugobzsySNz/9nUSq3iDt3TomFoO41zRVNxN1VE2Pd+XI+4=
=0v6N
-----END PGP SIGNATURE-----

Message #41 received at 912617@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>

Cc: 912617@bugs.debian.org, 912618@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Sun, 04 Nov 2018 19:16:28 -0500

Hi Manuel,

> > Sure. From this I will go ahead and upload to sid. I've requested
> > access to the Salsa group so I can push my changes.
>
> I was planning to gbp-import-dsc, but if you prefer I'll grant you access, sure.

This should save you some effort at least. So, I've:

 * Uploaded libsdl2-image 2.0.3+dfsg1-3 to fix #912617 in sid.

 * Uploaded sdl-image1.2 1.2.12-10 to sid to fix #912618 in sid.

I will address jessie in the next day or so, although I think I
would prefer to attack stable first.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #46 received at 912617@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>

Cc: 912617@bugs.debian.org, 912618@bugs.debian.org, team@security.debian.org, carnil@debian.org

Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Wed, 07 Nov 2018 03:46:40 -0500

Chris Lamb wrote:

>  * Uploaded libsdl2-image 2.0.3+dfsg1-3 to fix #912617 in sid.
> 
>  * Uploaded sdl-image1.2 1.2.12-10 to sid to fix #912618 in sid.
> 
> I will address jessie in the next day or so, although I think I
> would prefer to attack stable first.

Security team, can I gently ping you on whether I should go ahead
with preparing uploads for these?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #51 received at 912617@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb " <lamby@debian.org>

To: 912617@bugs.debian.org, 912618@bugs.debian.org

Subject: Fwd: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Date: Wed, 07 Nov 2018 17:09:37 -0500

(Forwarding for completeness)

----- Original message -----
From: Moritz Mühlenhoff <jmm@inutil.org>
To: Chris Lamb <lamby@debian.org>
Cc: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>, team@security.debian.org
Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Date: Wed, 7 Nov 2018 23:07:52 +0100

On Wed, Nov 07, 2018 at 05:02:39PM -0500, Chris Lamb wrote:
> Dear Moritz,
> 
> I notice you (?) dropped the related bug numbers. Was this deliberate?

Sorry, accidental. I meant to strip Salvatore as he's already getting those
mails via team@sdo and dropped the bugs by accident.

> > I don't think this warrants a DSA, IMG_LoadXCF_RW() doesn't seem be in use
> > in the archive at all and it's hard to imagine a real world SDL application
> > parsinf XCF files from untrusted sources.
> 
> ACK here. I've updated the tracker for stretch here:
> 
>   https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb671421029223793d3e1e7c4e07d898a1a3aedb
> 
> (Let me know if I shouldn't ever touch stable.)

Thanks, commiting changes for stable is totally fine if it's recording
existing discussions!

Cheers,
        Moritz

Send a report that this bug log contains spam.