Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: secur...@debian.org
[ Reason ] Backport two out-of-bounds reads, one of which has a CVE ID, presumably because it could be an exploitable vulnerability for games that are willing to load untrusted graphics data. The security team marked the CVE as unimportant and didn't open a bug, so presumably they don't intend to do a DSA. [ Impact ] If not approved, SDL games that load untrusted graphics could maybe be crashed or otherwise interfered with by an attacker. [ Tests ] No specific test coverage. From the upstream bug reports, it seems that these issues are usually only noticeable in practice if SDL is rebuilt with AddressSanitizer. The proposed version seems to work OK in brief testing with a few games (0ad, openarena, warzone2100). [ Risks ] Low risk: the patches are trivial and have been in testing since January without apparent regressions. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] d/p/Fixed-potential-buffer-overflow-in-YUV-conversion.patch, src/video/yuv2rgb/yuv_rgb.c: ensure that the index in a 512-element lookup table is clamped to the range 0 to 511 inclusive, even if the input data is malformed. d/p/Always-create-a-full-256-entry-map-in-case-color-values-a.patch, src/video/SDL_pixels.c: always allocate palettes for palette-based formats with 256 entries and zero out the ones that are not used, so that out-of-range pixel values resolve to transparent black (red = green = blue = alpha = 0) instead of causing an out-of-bounds read.
diffstat for libsdl2-2.0.14+dfsg2 libsdl2-2.0.14+dfsg2 debian/changelog | 12 +++ debian/gbp.conf | 1 debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch | 34 ++++++++++ debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch | 23 ++++++ debian/patches/series | 2 src/video/SDL_pixels.c | 4 - src/video/yuv2rgb/yuv_rgb.c | 2 7 files changed, 75 insertions(+), 3 deletions(-) diff -Nru libsdl2-2.0.14+dfsg2/debian/changelog libsdl2-2.0.14+dfsg2/debian/changelog --- libsdl2-2.0.14+dfsg2/debian/changelog 2021-01-18 14:35:30.000000000 +0000 +++ libsdl2-2.0.14+dfsg2/debian/changelog 2022-06-20 22:05:21.000000000 +0100 @@ -1,3 +1,15 @@ +libsdl2 (2.0.14+dfsg2-3+deb11u1) bullseye; urgency=medium + + * d/gbp.conf: Set branch for Debian 11 updates + * d/p/Always-create-a-full-256-entry-map-in-case-color-values-a.patch: + Avoid out-of-bounds read while loading malformed BMP file. + libsdl-org/SDL#5042 upstream, CVE-2021-33657. + * d/p/Fixed-potential-buffer-overflow-in-YUV-conversion.patch: + Avoid out-of-bounds read during YUV to RGB conversion. + libsdl-org/SDL#5043 upstream, no known CVE ID. + + -- Simon McVittie <s...@debian.org> Mon, 20 Jun 2022 22:05:21 +0100 + libsdl2 (2.0.14+dfsg2-3) unstable; urgency=medium * d/libsdl2-2.0-0.symbols: SDL_LinuxSetThreadPriority is Linux-only diff -Nru libsdl2-2.0.14+dfsg2/debian/gbp.conf libsdl2-2.0.14+dfsg2/debian/gbp.conf --- libsdl2-2.0.14+dfsg2/debian/gbp.conf 2021-01-18 14:35:30.000000000 +0000 +++ libsdl2-2.0.14+dfsg2/debian/gbp.conf 2022-06-20 22:05:21.000000000 +0100 @@ -1,6 +1,7 @@ [DEFAULT] pristine-tar = True sign-tags = True +debian-branch = debian/bullseye [import-orig] filter = [ 'Android.mk', 'android-project', 'debian', 'src/hidapi/android', 'src/hidapi/ios', 'src/hidapi/linux/hid.cpp', 'src/hidapi/mac', 'src/hidapi/testgui', 'src/hidapi/windows', 'src/render/metal/SDL_shaders_metal_*.h', 'src/video/os2/my_gradd.h', 'VisualC', 'VisualC-WinRT', 'Xcode', 'Xcode-iOS' ] diff -Nru libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch --- libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsdl2-2.0.14+dfsg2/debian/patches/Always-create-a-full-256-entry-map-in-case-color-values-a.patch 2022-06-20 22:05:21.000000000 +0100 @@ -0,0 +1,34 @@ +From: Sam Lantinga <slou...@libsdl.org> +Date: Tue, 30 Nov 2021 12:36:46 -0800 +Subject: Always create a full 256-entry map in case color values are out of + range + +Bug: https://github.com/libsdl-org/SDL/issues/5042 +Bug-CVE: CVE-2021-33657 +Origin: upstream, 2.0.20, commit:8c91cf7dba5193f5ce12d06db1336515851c9ee9 +--- + src/video/SDL_pixels.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c +index 84b6932..c27dc6f 100644 +--- a/src/video/SDL_pixels.c ++++ b/src/video/SDL_pixels.c +@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical) + } + *identical = 0; + } +- map = (Uint8 *) SDL_malloc(src->ncolors); ++ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8)); + if (map == NULL) { + SDL_OutOfMemory(); + return (NULL); +@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod, + SDL_Palette *pal = src->palette; + + bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel); +- map = (Uint8 *) SDL_malloc(pal->ncolors * bpp); ++ map = (Uint8 *) SDL_calloc(256, bpp); + if (map == NULL) { + SDL_OutOfMemory(); + return (NULL); diff -Nru libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch --- libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch 1970-01-01 01:00:00.000000000 +0100 +++ libsdl2-2.0.14+dfsg2/debian/patches/Fixed-potential-buffer-overflow-in-YUV-conversion.patch 2022-06-20 22:05:21.000000000 +0100 @@ -0,0 +1,23 @@ +From: Sam Lantinga <slou...@libsdl.org> +Date: Tue, 30 Nov 2021 10:23:21 -0800 +Subject: Fixed potential buffer overflow in YUV conversion + +Bug: https://github.com/libsdl-org/SDL/issues/5043 +Origin: upstream, 2.0.20, commit:8589134f160a9d0898a2f3bdf87300837be4367d +--- + src/video/yuv2rgb/yuv_rgb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/video/yuv2rgb/yuv_rgb.c b/src/video/yuv2rgb/yuv_rgb.c +index 6e821a8..7908b8c 100644 +--- a/src/video/yuv2rgb/yuv_rgb.c ++++ b/src/video/yuv2rgb/yuv_rgb.c +@@ -91,7 +91,7 @@ static uint8_t clampU8(int32_t v) + 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255, + 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 + }; +- return lut[(v+128*PRECISION_FACTOR)>>PRECISION]; ++ return lut[((v+128*PRECISION_FACTOR)>>PRECISION)&511]; + } + + diff -Nru libsdl2-2.0.14+dfsg2/debian/patches/series libsdl2-2.0.14+dfsg2/debian/patches/series --- libsdl2-2.0.14+dfsg2/debian/patches/series 2021-01-18 14:35:30.000000000 +0000 +++ libsdl2-2.0.14+dfsg2/debian/patches/series 2022-06-20 22:05:21.000000000 +0100 @@ -2,3 +2,5 @@ waylandtouch-Don-t-export-interface-structs.patch Add-a-make-install-target-for-the-tests.patch no-libdir.patch +Always-create-a-full-256-entry-map-in-case-color-values-a.patch +Fixed-potential-buffer-overflow-in-YUV-conversion.patch diff -Nru libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c --- libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c 2020-12-21 17:44:36.000000000 +0000 +++ libsdl2-2.0.14+dfsg2/src/video/SDL_pixels.c 2022-06-21 10:54:32.000000000 +0100 @@ -947,7 +947,7 @@ } *identical = 0; } - map = (Uint8 *) SDL_malloc(src->ncolors); + map = (Uint8 *) SDL_calloc(256, sizeof(Uint8)); if (map == NULL) { SDL_OutOfMemory(); return (NULL); @@ -971,7 +971,7 @@ SDL_Palette *pal = src->palette; bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel); - map = (Uint8 *) SDL_malloc(pal->ncolors * bpp); + map = (Uint8 *) SDL_calloc(256, bpp); if (map == NULL) { SDL_OutOfMemory(); return (NULL); diff -Nru libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c --- libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c 2020-12-21 17:44:36.000000000 +0000 +++ libsdl2-2.0.14+dfsg2/src/video/yuv2rgb/yuv_rgb.c 2022-06-21 10:54:32.000000000 +0100 @@ -91,7 +91,7 @@ 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255, 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255 }; - return lut[(v+128*PRECISION_FACTOR)>>PRECISION]; + return lut[((v+128*PRECISION_FACTOR)>>PRECISION)&511]; }
