Bug#936056: buster-pu: package sdl-image1.2/1.2.12-10+deb10u1

Thu, 29 Aug 2019 06:48:44 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-CC: t...@security.debian.org

Hi,

sdl-image1.2 is affected by a number of security issues in buster. Impact is
quite minor, but it would still be nice to get them fixed.

Attached is a debdiff addressing most of them for buster.

libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.

(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)

This is essentially the same update as 1.2.12-5+deb9u2, see #936051.

thanks!

cheers,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog	2018-11-04 18:58:30.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/changelog	2019-08-29 08:51:05.000000000 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-10+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-5058: Fix CVE-2018-3977.patch from previous upload: check should
+    be done for y, not ty (Closes: #932755).
+  * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+  * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+  * CVE-2019-12216, CVE-2019-12217,
+    CVE-2019-12218, CVE-2019-12219,
+    CVE-2019-12220, CVE-2019-12221,
+    CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre <h...@debian.org>  Thu, 29 Aug 2019 08:51:05 -0400
+
 sdl-image1.2 (1.2.12-10) unstable; urgency=medium
 
   * Non-maintainer upload with permission of maintainers.
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2018-11-04 18:58:30.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch	2019-08-29 08:51:05.000000000 -0400
@@ -9,15 +9,13 @@
  IMG_xcf.c | 3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/IMG_xcf.c b/IMG_xcf.c
-index 064e641..93b6929 100644
---- a/IMG_xcf.c
-+++ b/IMG_xcf.c
-@@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
+--- a/IMG_xcf.c	2019-08-29 09:34:10.888355386 -0400
++++ b/IMG_xcf.c	2019-08-29 09:34:37.702747635 -0400
+@@ -634,6 +634,9 @@
        p16 = (Uint16 *) p8;
        p   = (Uint32 *) p8;
        for (y=ty; y < ty+oy; y++) {
-+	if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
++	if ((y >= surface->h) || ((tx+ox) > surface->w)) {
 +		break;
 +	}
  	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga <slou...@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c	2019-07-23 11:28:25.847897628 -0300
++++ b/IMG_pcx.c	2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ 	Uint8 *row, *buf = NULL;
+ 	char *error = NULL;
+ 	int bits, src_bits;
++	int count = 0;
++	Uint8 ch;
+ 
+ 	if ( !src ) {
+ 		/* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ 	if (bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
++		goto done;
+ 	}
+-	buf = calloc(SDL_max(bpl, surface->pitch), 1);
++	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; y<surface->h; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+-		int i, count = 0;
+-		Uint8 ch;
+-		Uint8 *dst = (src_bits == 8) ? row : buf;
++		int i;
++		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+ 			if(!SDL_RWread(src, dst, bpl, 1)) {
+ 				error = "file truncated";
+@@ -168,14 +170,15 @@
+ 						error = "file truncated";
+ 						goto done;
+ 					}
+-					if( (ch & 0xc0) == 0xc0) {
+-						count = ch & 0x3f;
++					if( ch < 0xc0) {
++						count = 1;
++					} else {
++						count = ch - 0xc0;
+ 						if(!SDL_RWread(src, &ch, 1, 1)) {
+ 							error = "file truncated";
+ 							goto done;
+ 						}
+-					} else
+-						count = 1;
++					}
+ 				}
+ 				dst[i] = ch;
+ 				count--;
+@@ -207,10 +210,16 @@
+ 				int x;
+ 				dst = row + plane;
+ 				for(x = 0; x < width; x++) {
++					if ( dst >= row+surface->pitch ) {
++						error = "decoding out of bounds (corrupt?)";
++						goto done;
++					}
+ 					*dst = *src++;
+ 					dst += pcxh.NPlanes;
+ 				}
+ 			}
++		} else {
++			SDL_memcpy(row, buf, bpl);
+ 		}
+ 
+ 		row += surface->pitch;
+@@ -227,8 +236,9 @@
+ 			/* look for a 256-colour palette */
+ 			do {
+ 				if ( !SDL_RWread(src, &ch, 1, 1)) {
+-					error = "file truncated";
+-					goto done;
++					/* Couldn't find the palette, try the end of the file */
++					SDL_RWseek(src, -768, RW_SEEK_END);
++					break;
+ 				}
+ 			} while ( ch != 12 );
+ 
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,15 @@
+Description: fix invalid data read on bpl == -1
+ Issue known as TALOS-2019-0821, or CVE-2019-5052.
+Author: Sam Lantinga <slou...@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
+--- a/IMG_pcx.c	2019-07-23 11:55:37.921487131 -0300
++++ b/IMG_pcx.c	2019-07-23 11:55:46.429453620 -0300
+@@ -148,7 +148,7 @@
+ 		goto done;
+ 
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-	if (bpl > surface->pitch) {
++	if (bpl < 0 || bpl > surface->pitch) {
+ 		error = "bytes per line is too large (corrupt?)";
+ 		goto done;
+ 	}
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,65 @@
+Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c)
+Author: Sam Lantinga <slou...@libsdl.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49
+--- a/IMG_bmp.c	2019-07-23 11:59:17.032624113 -0300
++++ b/IMG_bmp.c	2019-07-23 12:01:39.804061761 -0300
+@@ -292,6 +292,14 @@
+ 			ExpandBMP = biBitCount;
+ 			biBitCount = 8;
+ 			break;
++		case 2:
++		case 3:
++		case 5:
++		case 6:
++		case 7:
++			IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
++			was_error = SDL_TRUE;
++			goto done;
+ 		default:
+ 			ExpandBMP = 0;
+ 			break;
+@@ -444,7 +452,12 @@
+ 						goto done;
+ 					}
+ 				}
+-				*(bits+i) = (pixel>>shift);
++				bits[i] = (pixel >> shift);
++				if (bits[i] >= biClrUsed) {
++					IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++					was_error = SDL_TRUE;
++					goto done;
++				}
+ 				pixel <<= ExpandBMP;
+ 			} }
+ 			break;
+@@ -456,6 +469,15 @@
+ 				was_error = SDL_TRUE;
+ 				goto done;
+ 			}
++			if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++				for (i = 0; i < surface->w; ++i) {
++					if (bits[i] >= biClrUsed) {
++						IMG_SetError("A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
++				}
++			}
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ 			/* Byte-swap the pixels if needed. Note that the 24bpp
+ 			   case has already been taken care of above. */
+@@ -650,6 +672,14 @@
+             Bmask = 0x000000FF;
+             ExpandBMP = 0;
+             break;
++        case 2:
++        case 3:
++        case 5:
++        case 6:
++        case 7:
++            SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++            was_error = SDL_TRUE;
++            goto done;
+         default:
+             IMG_SetError("ICO file with unsupported bit count");
+             was_error = SDL_TRUE;
diff -Nru sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch
--- sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch	1969-12-31 19:00:00.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch	2019-08-29 08:49:56.000000000 -0400
@@ -0,0 +1,71 @@
+Description: fix multiple OOB issues in IMG_pcx.c
+ This patches addresses following issues: CVE-2019-12222, CVE-2019-12221,
+ CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217.
+Author: Sam Lantinga <slou...@libsdl.org>, Hugo Lefeuvre <h...@debian.org>
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
+--- a/IMG_pcx.c	2019-07-23 11:56:00.765397153 -0300
++++ b/IMG_pcx.c	2019-07-23 11:51:23.082490857 -0300
+@@ -148,18 +148,17 @@
+ 		goto done;
+ 
+ 	bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+-	if (bpl < 0 || bpl > surface->pitch) {
+-		error = "bytes per line is too large (corrupt?)";
++	buf = (Uint8 *)SDL_calloc(bpl, 1);
++	if ( !buf ) {
++		error = "Out of memory";
+ 		goto done;
+ 	}
+-	buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ 	row = surface->pixels;
+ 	for ( y=0; y<surface->h; ++y ) {
+ 		/* decode a scan line to a temporary buffer first */
+ 		int i;
+-		Uint8 *dst = buf;
+ 		if ( pcxh.Encoding == 0 ) {
+-			if(!SDL_RWread(src, dst, bpl, 1)) {
++			if(!SDL_RWread(src, buf, bpl, 1)) {
+ 				error = "file truncated";
+ 				goto done;
+ 			}
+@@ -180,7 +179,7 @@
+ 						}
+ 					}
+ 				}
+-				dst[i] = ch;
++				buf[i] = ch;
+ 				count--;
+ 			}
+ 		}
+@@ -202,13 +201,21 @@
+ 					}
+ 				}
+ 			}
++		} else if ( src_bits == 8 ) {
++			/* directly copy buf content to row */
++			Uint8 *innerSrc = buf;
++			int x;
++			Uint8 *dst = row;
++			for ( x = 0; x < width; x++ ) {
++				*dst++ = *innerSrc++;
++			}
+  		} else if(src_bits == 24) {
+ 			/* de-interlace planes */
+ 			Uint8 *src = buf;
+ 			int plane;
+ 			for(plane = 0; plane < pcxh.NPlanes; plane++) {
+ 				int x;
+-				dst = row + plane;
++				Uint8 *dst = row + plane;
+ 				for(x = 0; x < width; x++) {
+ 					if ( dst >= row+surface->pitch ) {
+ 						error = "decoding out of bounds (corrupt?)";
+@@ -218,8 +225,6 @@
+ 					dst += pcxh.NPlanes;
+ 				}
+ 			}
+-		} else {
+-			SDL_memcpy(row, buf, bpl);
+ 		}
+ 
+ 		row += surface->pitch;
diff -Nru sdl-image1.2-1.2.12/debian/patches/series sdl-image1.2-1.2.12/debian/patches/series
--- sdl-image1.2-1.2.12/debian/patches/series	2018-11-04 18:58:30.000000000 -0500
+++ sdl-image1.2-1.2.12/debian/patches/series	2019-08-29 08:51:05.000000000 -0400
@@ -10,3 +10,8 @@
 CVE-2018-3838.patch
 CVE-2018-3839.patch
 CVE-2018-3977.patch
+
+CVE-2019-12218.patch
+CVE-2019-5052.patch
+IMG_pcx-out-of-bounds.patch
+CVE-2019-7635.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to