> However in the sdl-image1.2 case upstream did not provide a new release > addressing these issues, so I guess we'll have to go for targeted fixes. I > will provide a debdiff shortly. Would you be available to review it? I can > handle the upload if necessary, or NMU.
as promised, the debdiff for unstable (in attachment).
I did very quick smoke tests. However it would be surprising that this
patch would break anything since it was tested extensively in jessie and
upstream versions are identical.
(just in case, I smoke test using [0] with valgrind)
cheers,
Hugo
[0] /usr/share/doc/libsdl-image1.2-dev/examples/showimage.c
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog --- sdl-image1.2-1.2.12/debian/changelog 2018-11-04 21:58:30.000000000 -0200 +++ sdl-image1.2-1.2.12/debian/changelog 2019-07-24 20:30:03.000000000 -0300 @@ -1,3 +1,16 @@ +sdl-image1.2 (1.2.12-11) unstable; urgency=medium + + * Non-maintainer upload with permission of maintainers. + * Multiple security fixes (Closes: #932755): + - CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. + - CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). + - CVE-2019-12216, CVE-2019-12217, + CVE-2019-12218, CVE-2019-12219, + CVE-2019-12220, CVE-2019-12221, + CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). + + -- Hugo Lefeuvre <h...@debian.org> Wed, 24 Jul 2019 20:30:03 -0300 + sdl-image1.2 (1.2.12-10) unstable; urgency=medium * Non-maintainer upload with permission of maintainers. diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.000000000 -0300 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-07-24 20:27:21.000000000 -0300 @@ -0,0 +1,83 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300 +@@ -100,6 +100,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++ int count = 0; ++ Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -148,14 +150,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++ goto done; + } +- buf = calloc(SDL_max(bpl, surface->pitch), 1); ++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ +- int i, count = 0; +- Uint8 ch; +- Uint8 *dst = (src_bits == 8) ? row : buf; ++ int i; ++ Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -168,14 +170,15 @@ + error = "file truncated"; + goto done; + } +- if( (ch & 0xc0) == 0xc0) { +- count = ch & 0x3f; ++ if( ch < 0xc0) { ++ count = 1; ++ } else { ++ count = ch - 0xc0; + if(!SDL_RWread(src, &ch, 1, 1)) { + error = "file truncated"; + goto done; + } +- } else +- count = 1; ++ } + } + dst[i] = ch; + count--; +@@ -207,10 +210,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++ if ( dst >= row+surface->pitch ) { ++ error = "decoding out of bounds (corrupt?)"; ++ goto done; ++ } + *dst = *src++; + dst += pcxh.NPlanes; + } + } ++ } else { ++ SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -227,8 +236,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, &ch, 1, 1)) { +- error = "file truncated"; +- goto done; ++ /* Couldn't find the palette, try the end of the file */ ++ SDL_RWseek(src, -768, RW_SEEK_END); ++ break; + } + } while ( ch != 12 ); + diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 1969-12-31 21:00:00.000000000 -0300 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 2019-07-24 20:27:21.000000000 -0300 @@ -0,0 +1,15 @@ +Description: fix invalid data read on bpl == -1 + Issue known as TALOS-2019-0821, or CVE-2019-5052. +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 +--- a/IMG_pcx.c 2019-07-23 11:55:37.921487131 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:55:46.429453620 -0300 +@@ -148,7 +148,7 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl > surface->pitch) { ++ if (bpl < 0 || bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; + goto done; + } diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 1969-12-31 21:00:00.000000000 -0300 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 2019-07-24 20:27:21.000000000 -0300 @@ -0,0 +1,65 @@ +Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) +Author: Sam Lantinga <slou...@libsdl.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 +--- a/IMG_bmp.c 2019-07-23 11:59:17.032624113 -0300 ++++ b/IMG_bmp.c 2019-07-23 12:01:39.804061761 -0300 +@@ -292,6 +292,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ IMG_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -444,7 +452,12 @@ + goto done; + } + } +- *(bits+i) = (pixel>>shift); ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + pixel <<= ExpandBMP; + } } + break; +@@ -456,6 +469,15 @@ + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +@@ -650,6 +672,14 @@ + Bmask = 0x000000FF; + ExpandBMP = 0; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + IMG_SetError("ICO file with unsupported bit count"); + was_error = SDL_TRUE; diff -Nru sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch --- sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 1969-12-31 21:00:00.000000000 -0300 +++ sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 2019-07-24 20:27:21.000000000 -0300 @@ -0,0 +1,71 @@ +Description: fix multiple OOB issues in IMG_pcx.c + This patches addresses following issues: CVE-2019-12222, CVE-2019-12221, + CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217. +Author: Sam Lantinga <slou...@libsdl.org>, Hugo Lefeuvre <h...@debian.org> +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 +--- a/IMG_pcx.c 2019-07-23 11:56:00.765397153 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:51:23.082490857 -0300 +@@ -148,18 +148,17 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl < 0 || bpl > surface->pitch) { +- error = "bytes per line is too large (corrupt?)"; ++ buf = (Uint8 *)SDL_calloc(bpl, 1); ++ if ( !buf ) { ++ error = "Out of memory"; + goto done; + } +- buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; y<surface->h; ++y ) { + /* decode a scan line to a temporary buffer first */ + int i; +- Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { +- if(!SDL_RWread(src, dst, bpl, 1)) { ++ if(!SDL_RWread(src, buf, bpl, 1)) { + error = "file truncated"; + goto done; + } +@@ -180,7 +179,7 @@ + } + } + } +- dst[i] = ch; ++ buf[i] = ch; + count--; + } + } +@@ -202,13 +201,21 @@ + } + } + } ++ } else if ( src_bits == 8 ) { ++ /* directly copy buf content to row */ ++ Uint8 *innerSrc = buf; ++ int x; ++ Uint8 *dst = row; ++ for ( x = 0; x < width; x++ ) { ++ *dst++ = *innerSrc++; ++ } + } else if(src_bits == 24) { + /* de-interlace planes */ + Uint8 *src = buf; + int plane; + for(plane = 0; plane < pcxh.NPlanes; plane++) { + int x; +- dst = row + plane; ++ Uint8 *dst = row + plane; + for(x = 0; x < width; x++) { + if ( dst >= row+surface->pitch ) { + error = "decoding out of bounds (corrupt?)"; +@@ -218,8 +225,6 @@ + dst += pcxh.NPlanes; + } + } +- } else { +- SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; diff -Nru sdl-image1.2-1.2.12/debian/patches/series sdl-image1.2-1.2.12/debian/patches/series --- sdl-image1.2-1.2.12/debian/patches/series 2018-11-04 21:58:30.000000000 -0200 +++ sdl-image1.2-1.2.12/debian/patches/series 2019-07-24 20:30:03.000000000 -0300 @@ -10,3 +10,7 @@ CVE-2018-3838.patch CVE-2018-3839.patch CVE-2018-3977.patch +CVE-2019-12218.patch +CVE-2019-5052.patch +IMG_pcx-out-of-bounds.patch +CVE-2019-7635.patch
signature.asc
Description: PGP signature
