Hi Hugo, On Mon, Aug 05, 2019 at 08:28:00AM +0200, Hugo Lefeuvre wrote: > Hi Salvatore, > > > Maybe I'm missing something but but please double check. Can it be > > that the stretch-pu upload contains the fix > > https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842 > > but the buster-pu one missed it? (Note this has a new CVE assigned > > CVE-2019-5058, the change afaics is included in your stretch-pu > > debdiff, is this right? but not in the buster-pu one?) > > Thanks for catching this. The situation is quite messy, so I will try to > summarize it in a few words. > > CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This > vulnerabilitity was "fixed" via [0], however the fix is broken (the check > should be done for y, not ty). Talos decided to report the remaining issue > as a separate vulnerability, TALOS-2019-0842, which was recently assigned > CVE-2019-5058. It was fixed via [1]. > > CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just > CVE-2018-3977 which wasn't fixed properly.
Ack, thanks for summarizing the situation. > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > that the initial patch was broken (see stretch patch descriptions), I > failed to handle this properly in the buster version. > > As far as I remember, I did not upload this diff yet. I'll just provide an > updated version asap. I will also update the testing NMU[2], which I > fortunately did not upload yet. Perfect, thank you for that! Regards, Salvatore
