Hi Salvatore, > Maybe I'm missing something but but please double check. Can it be > that the stretch-pu upload contains the fix > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 > but the buster-pu one missed it? (Note this has a new CVE assigned > CVE-2019-5058, the change afaics is included in your stretch-pu > debdiff, is this right? but not in the buster-pu one?)
Thanks for catching this. The situation is quite messy, so I will try to summarize it in a few words. CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This vulnerabilitity was "fixed" via [0], however the fix is broken (the check should be done for y, not ty). Talos decided to report the remaining issue as a separate vulnerability, TALOS-2019-0842, which was recently assigned CVE-2019-5058. It was fixed via [1]. CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just CVE-2018-3977 which wasn't fixed properly. Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware that the initial patch was broken (see stretch patch descriptions), I failed to handle this properly in the buster version. As far as I remember, I did not upload this diff yet. I'll just provide an updated version asap. I will also update the testing NMU[2], which I fortunately did not upload yet. Thanks again! regards, Hugo [0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 [1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755 -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
