Debian Bug report logs -
#912617
libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 1 Nov 2018 21:51:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions libsdl2-image/2.0.3+dfsg1-2, libsdl2-image/2.0.1+dfsg-1, libsdl2-image/2.0.1+dfsg-2+deb9u1
Fixed in version libsdl2-image/2.0.3+dfsg1-3
Done: Chris Lamb <lamby@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Thu, 01 Nov 2018 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Thu, 01 Nov 2018 21:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsdl2-image
Version: 2.0.3+dfsg1-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2.0.1+dfsg-1
Control: found -1 2.0.1+dfsg-2+deb9u1
Control: clone -1 -2
Control: retitle -2 sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability
Control: reassign -2 src:sdl-image1.2 1.2.12-9
Control: found -2 1.2.12-5
Control: found -2 1.2.12-5+deb9u1
Hi,
The following vulnerability was published for libsdl2-image.
CVE-2018-3977[0]:
| An exploitable code execution vulnerability exists in the XCF image
| rendering functionality of SDL2_image-2.0.3. A specially crafted XCF
| image can cause a heap overflow, resulting in code execution. An
| attacker can display a specially crafted image to trigger this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-3977
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3977
[1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645
[2] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions libsdl2-image/2.0.1+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 01 Nov 2018 21:51:04 GMT) (full text, mbox, link).
Marked as found in versions libsdl2-image/2.0.1+dfsg-2+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 01 Nov 2018 21:51:05 GMT) (full text, mbox, link).
Bug 912617 cloned as bug 912618
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 01 Nov 2018 21:51:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Sun, 04 Nov 2018 14:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Sun, 04 Nov 2018 14:48:03 GMT) (full text, mbox, link).
Message #16 received at 912617@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi SDL maintainers & security team,
> libsdl2-image: CVE-2018-3977: do_layer_surface code execution
> vulnerability
The attached patches apply cleanly to jessie, stretch and sid
respectfully. (Looks like they reformatted their code later on.)
I am happy to upload handle jessie, but I can also work on the
stable/sid releases too if you wish; please let me know.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
[CVE-2018-3977_stretch.patch (text/x-patch, attachment)]
[CVE-2018-3977_sid.patch (text/x-patch, attachment)]
[CVE-2018-3977_jessie.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Sun, 04 Nov 2018 15:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Sun, 04 Nov 2018 15:27:03 GMT) (full text, mbox, link).
Message #21 received at 912617@bugs.debian.org (full text, mbox, reply):
Hi Chris,
Em dom, 4 de nov de 2018 às 15:48, Chris Lamb <lamby@debian.org> escreveu:
>
> Hi SDL maintainers & security team,
>
> > libsdl2-image: CVE-2018-3977: do_layer_surface code execution
> > vulnerability
>
> The attached patches apply cleanly to jessie, stretch and sid
> respectfully. (Looks like they reformatted their code later on.)
>
> I am happy to upload handle jessie, but I can also work on the
> stable/sid releases too if you wish; please let me know.
I am enjoying a kind of a "long weekend" / mini-holidays, could not
work on it so far and will not at least for another 3 or 4 days, and
since the rest of the team did not reply to the original report I
suppose that it's better that you go ahead unless they reply between
now and you reading this e-mail.
Thanks the several people involved in the work, both for the report
and patches and offer to fix!
Cheers.
--
Manuel A. Fernandez Montecelo <manuel.montezelo@gmail.com>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Sun, 04 Nov 2018 16:30:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Sun, 04 Nov 2018 16:30:09 GMT) (full text, mbox, link).
Message #26 received at 912617@bugs.debian.org (full text, mbox, reply):
Hi Manuel,
> I suppose that it's better that you go ahead unless they reply
> between now and you reading this e-mail.
Sure. From this I will go ahead and upload to sid. I've requested
access to the Salsa group so I can push my changes.
(I still await the Security Team on stable.)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Sun, 04 Nov 2018 22:24:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Sun, 04 Nov 2018 22:24:06 GMT) (full text, mbox, link).
Message #31 received at 912617@bugs.debian.org (full text, mbox, reply):
Hi,
Em dom, 4 de nov de 2018 às 17:28, Chris Lamb <lamby@debian.org> escreveu:
>
> > I suppose that it's better that you go ahead unless they reply
> > between now and you reading this e-mail.
>
> Sure. From this I will go ahead and upload to sid. I've requested
> access to the Salsa group so I can push my changes.
I was planning to gbp-import-dsc, but if you prefer I'll grant you access, sure.
> (I still await the Security Team on stable.)
OK, if you need any help please tell. I might not be around much in
the next days, but I will try to be responsive.
Cheers.
--
Manuel A. Fernandez Montecelo <manuel.montezelo@gmail.com>
Reply sent
to Chris Lamb <lamby@debian.org>
:
You have taken responsibility.
(Mon, 05 Nov 2018 00:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 05 Nov 2018 00:09:05 GMT) (full text, mbox, link).
Message #36 received at 912617-close@bugs.debian.org (full text, mbox, reply):
Source: libsdl2-image
Source-Version: 2.0.3+dfsg1-3
We believe that the bug you reported is fixed in the latest version of
libsdl2-image, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 912617@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <lamby@debian.org> (supplier of updated libsdl2-image package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 04 Nov 2018 23:34:39 +0000
Source: libsdl2-image
Binary: libsdl2-image-2.0-0 libsdl2-image-dev
Architecture: source amd64
Version: 2.0.3+dfsg1-3
Distribution: unstable
Urgency: high
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, libraries
libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, development
Closes: 912617
Changes:
libsdl2-image (2.0.3+dfsg1-3) unstable; urgency=high
.
* Non-maintainer upload with permission of maintainers.
* CVE-2018-3977: Prevent a potential buffer overflow on a corrupt or
maliciously-crafted XCF file. (Closes: #912617)
Checksums-Sha1:
adcfc9edb0efb92bd0ecaa0b48b022e761dc4886 2241 libsdl2-image_2.0.3+dfsg1-3.dsc
47cdb38514bb6039c20c6e7f93444f1f326d560a 4992 libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz
c69eb4ad648ed6bcae8ac1ea68805c1c004df4e0 193776 libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb
3d7cd8e7acfec5f5872371b4c3b66f01fc85045c 66236 libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb
2086ff3f43bc31d8aebc433441af2af764d2877f 73176 libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb
1cab23fc273437a90ff11cd400348f76f244371a 11392 libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo
Checksums-Sha256:
231a5a5e9f5e74b74af92d0cdf5ee830f72ea3537d550b21e21f93cac7f19965 2241 libsdl2-image_2.0.3+dfsg1-3.dsc
23c511213707b03442139d19ce897bbec3a81032ee78ce7bd328fcd1390412be 4992 libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz
993f4719cf228f0d57aac0eaa1a8c94e7572e2cd18fdfe6703e594bcba25e6f0 193776 libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb
e651fac15522108a6fa7f766bb327cc32d7b787c5629140ff9030165f995e5a8 66236 libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb
1dc77b96e213017de84fef56d5bb40c5f6c38cb0c64e547d0727c2dea4797bea 73176 libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb
5f76fe57429d8428fb92b7234c1b5b7879cff10dfaf8a2ab1a8065c09fd8e364 11392 libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo
Files:
0e204da224460694c8462cc1a1046f33 2241 libs optional libsdl2-image_2.0.3+dfsg1-3.dsc
74a806cce442b1ec3ec46bf75dd2beb5 4992 libs optional libsdl2-image_2.0.3+dfsg1-3.debian.tar.xz
5f14f8df2e608dfa30475051f176aa55 193776 debug optional libsdl2-image-2.0-0-dbgsym_2.0.3+dfsg1-3_amd64.deb
7622aef5fcce76de7f7c52d67427c4d2 66236 libs optional libsdl2-image-2.0-0_2.0.3+dfsg1-3_amd64.deb
4a2845ad3d9cc8795861b7e54bea478a 73176 libdevel optional libsdl2-image-dev_2.0.3+dfsg1-3_amd64.deb
429349a36db1fd38510dccbc422fd9f6 11392 libs optional libsdl2-image_2.0.3+dfsg1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvfhZwACgkQHpU+J9Qx
HlhIuA/+I2WyVltpzYMUuyryvZ/AL7YYu1QdK/vAQ3wDKnNMtJKLCzYNlu/uJ47X
qLASH+B03L2qfJQgqeE+4B1gECkn/jgWb7+iUtetAVHnC5ItP4IgfwBCpirRdxKe
keEsSl3ho0A/kyYGnxjQDPfYyc1Fv8ZHcvAPb4x9GW7b7TLiAxUsOG1ovfeGiIXc
bbug9dsbQ1iNh/J31vmkraDYH8vsbOGpNS/yZRp2tTxhLNrxfLwQ0KoBKH0sQMJP
eKpe2ROK04l+72HXjkoHivIQuGnsdwVTLUHBmKh5VqDLhzq6hbT7UqGF3PDRqNZF
dwRPXgc6co7cM/uLYmh4Pd0HI7iaHt8lOT6r/ZYEjoYftqWVbo05NAwDa8BjIeWS
UcirSLZwUTXHoxwpoTWOWuZKq8DJNZe9V8b5yr6qub54QNTPexjXBHBtwEg2jiWn
rliRgQxXEPHkNWPxmvyfos/7Cgja6ztFJctdiWYKUM6zFQg25OwmopJ5goVvx3+a
lxA734o6cfXCNwDW0SoRb1z12wUIOqJQdMs7pu1lcx9/xWPQMa3imauT7GusjQx3
dErSP332EZqIAtE3DfLQEZQxpdht1cZxdqP6gyro4A0nQTPtqf337Bn3ZqY0pv4c
F/pYyugobzsySNz/9nUSq3iDt3TomFoO41zRVNxN1VE2Pd+XI+4=
=0v6N
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Mon, 05 Nov 2018 00:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Mon, 05 Nov 2018 00:18:03 GMT) (full text, mbox, link).
Message #41 received at 912617@bugs.debian.org (full text, mbox, reply):
Hi Manuel,
> > Sure. From this I will go ahead and upload to sid. I've requested
> > access to the Salsa group so I can push my changes.
>
> I was planning to gbp-import-dsc, but if you prefer I'll grant you access, sure.
This should save you some effort at least. So, I've:
* Uploaded libsdl2-image 2.0.3+dfsg1-3 to fix #912617 in sid.
* Uploaded sdl-image1.2 1.2.12-10 to sid to fix #912618 in sid.
I will address jessie in the next day or so, although I think I
would prefer to attack stable first.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Wed, 07 Nov 2018 08:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Wed, 07 Nov 2018 08:54:05 GMT) (full text, mbox, link).
Message #46 received at 912617@bugs.debian.org (full text, mbox, reply):
Chris Lamb wrote:
> * Uploaded libsdl2-image 2.0.3+dfsg1-3 to fix #912617 in sid.
>
> * Uploaded sdl-image1.2 1.2.12-10 to sid to fix #912618 in sid.
>
> I will address jessie in the next day or so, although I think I
> would prefer to attack stable first.
Security team, can I gently ping you on whether I should go ahead
with preparing uploads for these?
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
:
Bug#912617
; Package src:libsdl2-image
.
(Wed, 07 Nov 2018 22:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb " <lamby@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
.
(Wed, 07 Nov 2018 22:12:03 GMT) (full text, mbox, link).
Message #51 received at 912617@bugs.debian.org (full text, mbox, reply):
(Forwarding for completeness)
----- Original message -----
From: Moritz Mühlenhoff <jmm@inutil.org>
To: Chris Lamb <lamby@debian.org>
Cc: "Manuel A. Fernandez Montecelo" <manuel.montezelo@gmail.com>, team@security.debian.org
Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Date: Wed, 7 Nov 2018 23:07:52 +0100
On Wed, Nov 07, 2018 at 05:02:39PM -0500, Chris Lamb wrote:
> Dear Moritz,
>
> I notice you (?) dropped the related bug numbers. Was this deliberate?
Sorry, accidental. I meant to strip Salvatore as he's already getting those
mails via team@sdo and dropped the bugs by accident.
> > I don't think this warrants a DSA, IMG_LoadXCF_RW() doesn't seem be in use
> > in the archive at all and it's hard to imagine a real world SDL application
> > parsinf XCF files from untrusted sources.
>
> ACK here. I've updated the tracker for stretch here:
>
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb671421029223793d3e1e7c4e07d898a1a3aedb
>
> (Let me know if I shouldn't ever touch stable.)
Thanks, commiting changes for stable is totally fine if it's recording
existing discussions!
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:52:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.