Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi,
libsdl2-image is currently affected by the following security issues:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in
IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
(for more information, see #932754)
Attached is a debdiff addressing all of them for buster.
All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog --- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 08:59:26.000000000 -0200 +++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 17:01:14.000000000 -0300 @@ -1,3 +1,17 @@ +libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * Multiple security issues (Closes: #932754): + - CVE-2019-5052: integer overflow and subsequent buffer overflow in + IMG_pcx.c. + - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). + - CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre <h...@debian.org> Fri, 26 Jul 2019 17:01:14 -0300 + libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium * New upstream version. diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,84 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300 ++++ b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300 +@@ -98,6 +98,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++ int count = 0; ++ Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -146,14 +148,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++ goto done; + } +- buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1); ++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = (Uint8 *)surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ +- int i, count = 0; +- Uint8 ch; +- Uint8 *dst = (src_bits == 8) ? row : buf; ++ int i; ++ Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -166,14 +168,15 @@ + error = "file truncated"; + goto done; + } +- if( (ch & 0xc0) == 0xc0) { +- count = ch & 0x3f; +- if(!SDL_RWread(src, &ch, 1, 1)) { ++ if ( ch < 0xc0 ) { ++ count = 1; ++ } else { ++ count = ch - 0xc0; ++ if( !SDL_RWread(src, &ch, 1, 1)) { + error = "file truncated"; + goto done; + } +- } else +- count = 1; ++ } + } + dst[i] = ch; + count--; +@@ -205,10 +208,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++ if ( dst >= row+surface->pitch ) { ++ error = "decoding out of bounds (corrupt?)"; ++ goto done; ++ } + *dst = *innerSrc++; + dst += pcxh.NPlanes; + } + } ++ } else { ++ SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -225,8 +234,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, &ch, 1, 1)) { +- error = "file truncated"; +- goto done; ++ /* Couldn't find the palette, try the end of the file */ ++ SDL_RWseek(src, -768, RW_SEEK_END); ++ break; + } + } while ( ch != 12 ); + diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-5052.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,15 @@ +Description: fix invalid data read on bpl == -1 + Issue known as TALOS-2019-0821, or CVE-2019-5052. +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 +--- a/IMG_pcx.c 2019-07-26 17:49:10.472114286 -0300 ++++ b/IMG_pcx.c 2019-07-26 17:50:15.053906715 -0300 +@@ -146,7 +146,7 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl > surface->pitch) { ++ if (bpl < 0 || bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; + goto done; + } diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-7635.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,59 @@ +Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 +--- a/IMG_bmp.c 2019-07-26 18:31:09.387643105 -0300 ++++ b/IMG_bmp.c 2019-07-26 18:31:21.875151518 -0300 +@@ -371,6 +371,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -511,13 +519,19 @@ + if ( i%(8/ExpandBMP) == 0 ) { + if ( !SDL_RWread(src, &pixel, 1, 1) ) { + IMG_SetError("Error reading from BMP"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); + was_error = SDL_TRUE; + goto done; + } ++ pixel <<= ExpandBMP; + } +- *(bits+i) = (pixel>>shift); +- pixel <<= ExpandBMP; +- } } ++ } + break; + + default: +@@ -526,6 +540,15 @@ + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ SDL_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch --- libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/IMG_pcx-out-of-bounds.patch 2019-07-26 17:01:14.000000000 -0300 @@ -0,0 +1,71 @@ +Description: fix multiple OOB issues in IMG_pcx.c + This patches addresses following issues: CVE-2019-12222, CVE-2019-12221, + CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217. +Author: Sam Lantinga <slou...@libsdl.org>, Hugo Lefeuvre <h...@debian.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 +--- a/IMG_pcx.c 2019-07-26 18:04:15.542455425 -0300 ++++ b/IMG_pcx.c 2019-07-26 18:04:54.585211727 -0300 +@@ -146,18 +146,17 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl < 0 || bpl > surface->pitch) { +- error = "bytes per line is too large (corrupt?)"; ++ buf = (Uint8 *)SDL_calloc(bpl, 1); ++ if ( !buf ) { ++ error = "Out of memory"; + goto done; + } +- buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = (Uint8 *)surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ + int i; +- Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { +- if(!SDL_RWread(src, dst, bpl, 1)) { ++ if(!SDL_RWread(src, buf, bpl, 1)) { + error = "file truncated"; + goto done; + } +@@ -178,7 +177,7 @@ + } + } + } +- dst[i] = ch; ++ buf[i] = ch; + count--; + } + } +@@ -200,13 +199,21 @@ + } + } + } ++ } else if ( src_bits == 8 ) { ++ /* directly copy buf content to row */ ++ Uint8 *innerSrc = buf; ++ int x; ++ Uint8 *dst = row; ++ for ( x = 0; x < width; x++ ) { ++ *dst++ = *innerSrc++; ++ } + } else if(src_bits == 24) { + /* de-interlace planes */ + Uint8 *innerSrc = buf; + int plane; + for(plane = 0; plane < pcxh.NPlanes; plane++) { + int x; +- dst = row + plane; ++ Uint8 *dst = row + plane; + for(x = 0; x < width; x++) { + if ( dst >= row+surface->pitch ) { + error = "decoding out of bounds (corrupt?)"; +@@ -216,8 +223,6 @@ + dst += pcxh.NPlanes; + } + } +- } else { +- SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/series libsdl2-image-2.0.4+dfsg1/debian/patches/series --- libsdl2-image-2.0.4+dfsg1/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ libsdl2-image-2.0.4+dfsg1/debian/patches/series 2019-07-26 16:59:47.000000000 -0300 @@ -0,0 +1,4 @@ +CVE-2019-12218.patch +CVE-2019-5052.patch +IMG_pcx-out-of-bounds.patch +CVE-2019-7635.patch
signature.asc
Description: PGP signature
