Debian Bug report logs -
#878266
libsdl2-image: CVE-2017-2887: Incorrect XCF property handling
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 11 Oct 2017 21:24:04 UTC
Severity: grave
Tags: patch, security, upstream
Found in versions libsdl2-image/2.0.0+dfsg-3, libsdl2-image/2.0.1+dfsg-1
Fixed in versions libsdl2-image/2.0.1+dfsg-4, libsdl2-image/2.0.0+dfsg-3+deb8u1, libsdl2-image/2.0.1+dfsg-2+deb9u1
Done: Felix Geyer <fgeyer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#878266; Package src:libsdl2-image.
(Wed, 11 Oct 2017 21:24:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>.
(Wed, 11 Oct 2017 21:24:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsdl2-image
Version: 2.0.1+dfsg-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:sdl-image1.2
Control: found -2 1.2.12-1
Control: retitle -2 sdl-image1.2: CVE-2017-2887: Incorrect XCF property handling
Hi,
the following vulnerability was published for libsdl2-image.
CVE-2017-2887[0]:
| An exploitable buffer overflow vulnerability exists in the XCF
| property handling functionality of SDL_image 2.0.1. A specially
| crafted xcf file can cause a stack-based buffer overflow resulting in
| potential code execution. An attacker can provide a specially crafted
| XCF file to trigger this vulnerability.
The same is found in sdl-image1.2 afaics, but please double check. I'm
cloning this bug for the second source package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2887
[1] https://hg.libsdl.org/SDL_image/rev/318484db0705
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Bug 878266 cloned as bug 878267
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 11 Oct 2017 21:24:07 GMT) (full text, mbox, link).
Marked as found in versions libsdl2-image/2.0.0+dfsg-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 11 Oct 2017 21:27:06 GMT) (full text, mbox, link).
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Wed, 18 Oct 2017 21:12:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 18 Oct 2017 21:12:20 GMT) (full text, mbox, link).
Message #14 received at 878266-close@bugs.debian.org (full text, mbox, reply):
Source: libsdl2-image
Source-Version: 2.0.1+dfsg-4
We believe that the bug you reported is fixed in the latest version of
libsdl2-image, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878266@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated libsdl2-image package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Oct 2017 22:09:02 +0200
Source: libsdl2-image
Binary: libsdl2-image-2.0-0 libsdl2-image-dev
Architecture: source
Version: 2.0.1+dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
libsdl2-image-2.0-0 - Image loading library for Simple DirectMedia Layer 2, libraries
libsdl2-image-dev - Image loading library for Simple DirectMedia Layer 2, development
Closes: 878266
Changes:
libsdl2-image (2.0.1+dfsg-4) unstable; urgency=medium
.
[ Manuel A. Fernandez Montecelo ]
* d/copyright: Fix missing "General" in LGPL license
.
[ Felix Geyer ]
* Fix CVE-2017-2887: buffer overflow in the XCF property handling.
(Closes: #878266)
Checksums-Sha1:
20dcdae8513e395492d1a41a0c7cccd826706e7e 2265 libsdl2-image_2.0.1+dfsg-4.dsc
bc91cc8c81f77a58d313bbcf7796a8f2fee01ef4 4656 libsdl2-image_2.0.1+dfsg-4.debian.tar.xz
Checksums-Sha256:
2d9f917e45d93b87ebd8c8f9e26f152fd8a659f1dacd9234b5fa1262c864b2dc 2265 libsdl2-image_2.0.1+dfsg-4.dsc
7cea0c3d7541ec5195aafabd90deb918b93231dcc2bfb768b42272fe52a9b3b1 4656 libsdl2-image_2.0.1+dfsg-4.debian.tar.xz
Files:
b65038241d0e34d333efb318394ba790 2265 libs optional libsdl2-image_2.0.1+dfsg-4.dsc
0de7b4652f246d85e2a2435c685e6660 4656 libs optional libsdl2-image_2.0.1+dfsg-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlnntSkACgkQ/iLG/YMT
XUXaAg/9ET3uWHIjF2hmqmoqf2Rb21iPZF7moRnswWHQUg2GuKtIkCZxY05q6sbE
lGO40kirzsTMh42G99Q2BSR5q0e0qCcM0jbwl/GmOPZAkmzq3dExsF7XXfhdZF43
GvXkpVaCshft8ULcr3g+HBJETPEpOz/32u3mufK6xYCO9TBZnSbJF+wi242rbBO7
NNSOxlf9Ub/JZVpH4KPV9GbUGskVwx9v3aMOORt2Mc8MrvuRnPH/dqDNxMU3UpAh
J7CpXt+NcWsoele9S3MhuU5WnUJiqhVjz+vjg2iKKzmBec1zWJ7l9+TtPqdhq4Vq
WlTsE1smESkJYicjlh9NgbiWESJ0kGNfP36+Hs2U8DumgGj4LpQqvkv7ZcSGLQOI
ieDTHD0xzEH41rJDBYTsnkb22mDhYpKmx7BZeFjFLMQdHj3ylTMgcupXSesrnh+v
685HR4fxKupKiBqPOB7DRW0IA0sl/DFNovXhbNgnpn45JqOwEa9XiASThYUMyiIP
F4ZMziAdo5M1qYwpdheD4Z2wfPlawOe+6/7xbF8/FKYWdZDt/ritN3tlJ6vewV5h
bRxw79BxvJbMNeVFS0h4+TnMEta0GGyU8iPBov1V9dvC5vbH+pHwYMDAQvXfMcAn
D+ShWyOQLvja4TPA67KU8OfTApHvBGC2+UNLDoI68B7XJspTMA0=
=bOGm
-----END PGP SIGNATURE-----
Marked as fixed in versions libsdl2-image/2.0.0+dfsg-3+deb8u1.
Request was from Felix Geyer <fgeyer@debian.org>
to control@bugs.debian.org.
(Sun, 29 Apr 2018 18:42:03 GMT) (full text, mbox, link).
Marked as fixed in versions libsdl2-image/2.0.1+dfsg-2+deb9u1.
Request was from Felix Geyer <fgeyer@debian.org>
to control@bugs.debian.org.
(Sun, 29 Apr 2018 18:42:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:30:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:13:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon