diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog --- sdl-image1.2-1.2.12/debian/changelog 2018-03-05 19:24:09.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/changelog 2020-01-10 15:49:04.000000000 +0000 @@ -1,3 +1,37 @@ +sdl-image1.2 (1.2.12-8ubuntu0.1) bionic-security; urgency=medium + + * SECURITY UPDATE: Arbitrary code execution in the XCF image rendering + - debian/patches/CVE-2018-3977.patch: Fix potential buffer overflow on + corrupt or maliciously-crafted XCF file. + - CVE-2018-3977 + * SECURITY UPDATE: Buffer overflows in IMG_pcx.c + - debian/patches/IMG_pcx-out-of-bounds.patch: fix multiple OOB issues in + IMG_pcx.c + - CVE-2019-5051 + - CVE-2019-12217 + - CVE-2019-12219 + - CVE-2019-12220 + - CVE-2019-12221 + - CVE-2019-12222 + * SECURITY UPDATE: Integer overflow when loading a PCX file + - debian/patches/CVE-2019-5052.patch: Fix invalid data read on bpl == -1. + - CVE-2019-5052 + * SECURITY UPDATE: Heap-based buffer over-read in Blit1to4() + - debian/patches/CVE-2019-7635.patch: fix Heap-Buffer Overflow in + Blit1to4(). + - CVE-2019-7635 + * SECURITY UPDATE: Heap buffer overflow in IMG_pcx.c + - debian/patches/CVE-2019-12218.patch: fix heap buffer overflow issue in + IMG_pcx.c + - CVE-2019-12218 + - CVE-2019-12216 + * SECURITY UPDATE: Heap-based buffer over-read in BlitNtoN() + - debian/patches/CVE-2019-13616.patch: validate image size when loading + BMP files. + - CVE-2019-13616 + + -- Eduardo Barretto Fri, 10 Jan 2020 12:49:04 -0300 + sdl-image1.2 (1.2.12-8) unstable; urgency=high * Backport various security fixes: diff -Nru sdl-image1.2-1.2.12/debian/control sdl-image1.2-1.2.12/debian/control --- sdl-image1.2-1.2.12/debian/control 2018-03-05 19:22:12.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/control 2020-01-10 15:49:04.000000000 +0000 @@ -1,5 +1,6 @@ Source: sdl-image1.2 -Maintainer: Debian SDL packages maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian SDL packages maintainers Uploaders: Felix Geyer , Manuel A. Fernandez Montecelo Section: libs Priority: optional diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 1970-01-01 00:00:00.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2020-01-10 15:29:03.000000000 +0000 @@ -0,0 +1,19 @@ +Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file. + This patch bundles two fixes, the original one for CVE-2018-3977 + (TALOS-2018-0645) which is actually broken, and the followup patch + (TALOS-2019-0842). +Author: Ryan C. Gordon +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 + https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 +--- a/IMG_xcf.c 2019-07-23 11:56:35.733259428 -0300 ++++ b/IMG_xcf.c 2019-07-23 11:57:55.036947079 -0300 +@@ -634,6 +634,9 @@ + p16 = (Uint16 *) p8; + p = (Uint32 *) p8; + for (y=ty; y < ty+oy; y++) { ++ if ((y >= surface->h) || ((tx+ox) > surface->w)) { ++ break; ++ } + row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); + switch (hierarchy->bpp) { + case 4: diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1970-01-01 00:00:00.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2020-01-10 15:41:39.000000000 +0000 @@ -0,0 +1,83 @@ +Description: fix heap buffer overflow issue in IMG_pcx.c + Issue known as TALOS-2019-0841, CVE-2019-12218. +Author: Sam Lantinga +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb +--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300 +@@ -100,6 +100,8 @@ + Uint8 *row, *buf = NULL; + char *error = NULL; + int bits, src_bits; ++ int count = 0; ++ Uint8 ch; + + if ( !src ) { + /* The error message has been set in SDL_RWFromFile */ +@@ -148,14 +150,14 @@ + bpl = pcxh.NPlanes * pcxh.BytesPerLine; + if (bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; ++ goto done; + } +- buf = calloc(SDL_max(bpl, surface->pitch), 1); ++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; yh; ++y ) { + /* decode a scan line to a temporary buffer first */ +- int i, count = 0; +- Uint8 ch; +- Uint8 *dst = (src_bits == 8) ? row : buf; ++ int i; ++ Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { + if(!SDL_RWread(src, dst, bpl, 1)) { + error = "file truncated"; +@@ -168,14 +170,15 @@ + error = "file truncated"; + goto done; + } +- if( (ch & 0xc0) == 0xc0) { +- count = ch & 0x3f; ++ if( ch < 0xc0) { ++ count = 1; ++ } else { ++ count = ch - 0xc0; + if(!SDL_RWread(src, &ch, 1, 1)) { + error = "file truncated"; + goto done; + } +- } else +- count = 1; ++ } + } + dst[i] = ch; + count--; +@@ -207,10 +210,16 @@ + int x; + dst = row + plane; + for(x = 0; x < width; x++) { ++ if ( dst >= row+surface->pitch ) { ++ error = "decoding out of bounds (corrupt?)"; ++ goto done; ++ } + *dst = *src++; + dst += pcxh.NPlanes; + } + } ++ } else { ++ SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; +@@ -227,8 +236,9 @@ + /* look for a 256-colour palette */ + do { + if ( !SDL_RWread(src, &ch, 1, 1)) { +- error = "file truncated"; +- goto done; ++ /* Couldn't find the palette, try the end of the file */ ++ SDL_RWseek(src, -768, RW_SEEK_END); ++ break; + } + } while ( ch != 12 ); + diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-13616.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-13616.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-13616.patch 1970-01-01 00:00:00.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-13616.patch 2020-01-10 15:49:04.000000000 +0000 @@ -0,0 +1,23 @@ +# HG changeset patch +# Date 1564511355 -10800 +# Node ID a59bfe382008d2a14fa31f33b35a3ca473e9354f +# Parent 9ccaa3a0dfb6af18252c238797e53a9a899b0662 +From: Ozkan Sezer +Description: Fixed bug 4538 - validate image size when loading BMP files + +diff -r 9ccaa3a0dfb6 -r a59bfe382008 IMG_bmp.c +--- a/IMG_bmp.c Thu Jul 11 01:01:56 2019 +0300 ++++ b/IMG_bmp.c Tue Jul 30 21:29:15 2019 +0300 +@@ -272,6 +272,11 @@ + biClrUsed = SDL_ReadLE32(src); + biClrImportant = SDL_ReadLE32(src); + } ++ if (biWidth <= 0 || biHeight == 0) { ++ IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; + diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 1970-01-01 00:00:00.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 2020-01-10 15:41:58.000000000 +0000 @@ -0,0 +1,15 @@ +Description: fix invalid data read on bpl == -1 + Issue known as TALOS-2019-0821, or CVE-2019-5052. +Author: Sam Lantinga +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6 +--- a/IMG_pcx.c 2019-07-23 11:55:37.921487131 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:55:46.429453620 -0300 +@@ -148,7 +148,7 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl > surface->pitch) { ++ if (bpl < 0 || bpl > surface->pitch) { + error = "bytes per line is too large (corrupt?)"; + goto done; + } diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch --- sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 1970-01-01 00:00:00.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-7635.patch 2020-01-10 15:48:47.000000000 +0000 @@ -0,0 +1,65 @@ +Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) +Author: Sam Lantinga +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 +--- a/IMG_bmp.c 2019-07-23 11:59:17.032624113 -0300 ++++ b/IMG_bmp.c 2019-07-23 12:01:39.804061761 -0300 +@@ -292,6 +292,14 @@ + ExpandBMP = biBitCount; + biBitCount = 8; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ IMG_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + ExpandBMP = 0; + break; +@@ -444,7 +452,12 @@ + goto done; + } + } +- *(bits+i) = (pixel>>shift); ++ bits[i] = (pixel >> shift); ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + pixel <<= ExpandBMP; + } } + break; +@@ -456,6 +469,15 @@ + was_error = SDL_TRUE; + goto done; + } ++ if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { ++ for (i = 0; i < surface->w; ++i) { ++ if (bits[i] >= biClrUsed) { ++ IMG_SetError("A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ +@@ -650,6 +672,14 @@ + Bmask = 0x000000FF; + ExpandBMP = 0; + break; ++ case 2: ++ case 3: ++ case 5: ++ case 6: ++ case 7: ++ SDL_SetError("%d-bpp BMP images are not supported", biBitCount); ++ was_error = SDL_TRUE; ++ goto done; + default: + IMG_SetError("ICO file with unsupported bit count"); + was_error = SDL_TRUE; diff -Nru sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch --- sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 1970-01-01 00:00:00.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/IMG_pcx-out-of-bounds.patch 2020-01-10 15:40:41.000000000 +0000 @@ -0,0 +1,71 @@ +Description: fix multiple OOB issues in IMG_pcx.c + This patches addresses following issues: CVE-2019-12222, CVE-2019-12221, + CVE-2019-12220, CVE-2019-12219 and CVE-2019-12217. +Author: Sam Lantinga , Hugo Lefeuvre +Origin: upstream, https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 +--- a/IMG_pcx.c 2019-07-23 11:56:00.765397153 -0300 ++++ b/IMG_pcx.c 2019-07-23 11:51:23.082490857 -0300 +@@ -148,18 +148,17 @@ + goto done; + + bpl = pcxh.NPlanes * pcxh.BytesPerLine; +- if (bpl < 0 || bpl > surface->pitch) { +- error = "bytes per line is too large (corrupt?)"; ++ buf = (Uint8 *)SDL_calloc(bpl, 1); ++ if ( !buf ) { ++ error = "Out of memory"; + goto done; + } +- buf = (Uint8 *)SDL_calloc(surface->pitch, 1); + row = surface->pixels; + for ( y=0; yh; ++y ) { + /* decode a scan line to a temporary buffer first */ + int i; +- Uint8 *dst = buf; + if ( pcxh.Encoding == 0 ) { +- if(!SDL_RWread(src, dst, bpl, 1)) { ++ if(!SDL_RWread(src, buf, bpl, 1)) { + error = "file truncated"; + goto done; + } +@@ -180,7 +179,7 @@ + } + } + } +- dst[i] = ch; ++ buf[i] = ch; + count--; + } + } +@@ -202,13 +201,21 @@ + } + } + } ++ } else if ( src_bits == 8 ) { ++ /* directly copy buf content to row */ ++ Uint8 *innerSrc = buf; ++ int x; ++ Uint8 *dst = row; ++ for ( x = 0; x < width; x++ ) { ++ *dst++ = *innerSrc++; ++ } + } else if(src_bits == 24) { + /* de-interlace planes */ + Uint8 *src = buf; + int plane; + for(plane = 0; plane < pcxh.NPlanes; plane++) { + int x; +- dst = row + plane; ++ Uint8 *dst = row + plane; + for(x = 0; x < width; x++) { + if ( dst >= row+surface->pitch ) { + error = "decoding out of bounds (corrupt?)"; +@@ -218,8 +225,6 @@ + dst += pcxh.NPlanes; + } + } +- } else { +- SDL_memcpy(row, buf, bpl); + } + + row += surface->pitch; diff -Nru sdl-image1.2-1.2.12/debian/patches/series sdl-image1.2-1.2.12/debian/patches/series --- sdl-image1.2-1.2.12/debian/patches/series 2018-03-05 18:18:08.000000000 +0000 +++ sdl-image1.2-1.2.12/debian/patches/series 2020-01-10 15:49:04.000000000 +0000 @@ -9,3 +9,9 @@ pcx_2938fc80591a.patch xcf_c5f9cbb5d2bb.patch xcf_fb643e371806.patch +CVE-2019-12218.patch +CVE-2019-5052.patch +IMG_pcx-out-of-bounds.patch +CVE-2018-3977.patch +CVE-2019-7635.patch +CVE-2019-13616.patch