772194 – <media-libs/libsdl{,2}-image-{1.2.12_p20210314, 2.0.5_p20210328}: heap buffer overread (CVE-2019-13616)

Bug 772194 - <media-libs/libsdl{,2}-image-{1.2.12_p20210314, 2.0.5_p20210328}: heap buffer overread (CVE-2019-13616)

Summary: <media-libs/libsdl{,2}-image-{1.2.12_p20210314, 2.0.5_p20210328}: heap buffer...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa+]
Keywords:	PullRequest

Depends on:	774024
Blocks:	CVE-2019-13616, CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7638
	Show dependency tree

Reported:	2021-02-22 22:04 UTC by John Helmert III
Modified:	2023-05-03 10:13 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/19733 https://github.com/gentoo/gentoo/pull/19863 https://github.com/gentoo/gentoo/pull/20216
Package list:	media-libs/sdl-image-1.2.12_p20210314 media-libs/sdl2-image-2.0.5_p20210328 amd64 arm arm64 ppc sparc x86
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-02-22 22:04:59 UTC

CVE-2019-13616: 

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.

Patch: https://github.com/libsdl-org/SDL_image/commit/e12c931e5bb260821ac7f11833eb627331779dcf

Comment 1 Larry the Git Cow gentoo-dev

2021-03-06 08:52:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a336de7c0ccd1263d27555be703dcfdfaa3d568

commit 8a336de7c0ccd1263d27555be703dcfdfaa3d568
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-03 17:32:46 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-03-06 08:52:11 +0000

    media-libs/libsdl: multiple CVEs v1.2.15_p20210224
    
    Bug: https://bugs.gentoo.org/772194
    Bug: https://bugs.gentoo.org/692388
    
    EAPI 7
    Bug: https://bugs.gentoo.org/774024
    
    Dropping older patches included in snapshot
    
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/19733
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/libsdl/Manifest                         |   1 +
 .../libsdl/files/libsdl-1.2.15-sdl-config.patch    |   4 +-
 media-libs/libsdl/libsdl-1.2.15_p20210224.ebuild   | 139 +++++++++++++++++++++
 3 files changed, 142 insertions(+), 2 deletions(-)

Comment 2 Sam James archtester

2021-03-09 22:46:51 UTC

@vaukai, this one isn't fixed yet, right?

Comment 3 Volkmar W. Pogatzki 2021-03-10 06:29:11 UTC

(In reply to Sam James from comment #2)
> @vaukai, this one isn't fixed yet, right?


Let me check:

git clone https://github.com/libsdl-org/SDL-1.2/ && cd SDL-1.2

tmp/SDL-1.2 $ git show 31a87d75

commit 31a87d75f15c7acd9470fab9ceb129c0a255871f
Author: Ozkan Sezer <sezeroz@gmail.com>
Date:   Tue Jul 30 21:30:24 2019 +0300

    Fixed bug 4538 - validate image size when loading BMP files

diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 758d4bbc..6cadc8a5 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
        (void) biYPelsPerMeter;
        (void) biClrImportant;
 
+       if (biWidth <= 0 || biHeight == 0) {
+               SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
+               was_error = SDL_TRUE;
+               goto done;
+       }
        if (biHeight < 0) {
                topDown = SDL_TRUE;
                biHeight = -biHeight;


So the fix is included in the snapshot.  
That's why I think v1.2.15_p20210224 should be stabliilized asap.

Comment 4 Sam James archtester

2021-03-10 06:33:38 UTC

Thanks for checking! But we package SDL-Image separately?

Comment 5 Volkmar W. Pogatzki 2021-03-10 07:18:37 UTC

(In reply to Sam James from comment #4)
> Thanks for checking! But we package SDL-Image separately?

What's "SDL-Image"?

Should be marked "RESOLVED DUPLICATE" of https://bugs.gentoo.org/692388
(CVE-2019-{7572,7573,7574,7575,7576,7577,7578,7635,7636,7638,13616})

Comment 6 Volkmar W. Pogatzki 2021-03-10 07:25:18 UTC

Mea culpa. Sorry for confusion.
I didn't even see the "-image" part in "media-libs/libsdl{,2}-image:", sorry.

Comment 7 Larry the Git Cow gentoo-dev

2021-03-31 22:41:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d2c207b4e88fb14ca7b39246ea7c938c983d3d

commit 54d2c207b4e88fb14ca7b39246ea7c938c983d3d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-10 09:17:53 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-03-31 22:33:28 +0000

    media-libs/sdl-image: CVE-2019-13616 v1.2.12_p20210308
    
    Bug: https://bugs.gentoo.org/772194
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/19863
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/sdl-image/Manifest                      |  1 +
 .../sdl-image/sdl-image-1.2.12_p20210308.ebuild    | 59 ++++++++++++++++++++++
 2 files changed, 60 insertions(+)

Comment 8 John Helmert III archtester

2021-04-01 02:30:24 UTC

sdl2-image is affected too, right?

Comment 9 Volkmar W. Pogatzki 2021-04-01 08:48:44 UTC

(In reply to John Helmert III from comment #8)
> sdl2-image is affected too, right?

Bug list of sdl2-image should tell
https://bugs.gentoo.org/buglist.cgi?quicksearch=media-libs%2Fsdl2-image&list_id=5378424

Someone please adjust the bug title

Comment 10 Larry the Git Cow gentoo-dev

2021-04-05 21:28:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fbda6c4cbe2e75f8882ac19653398deb27e0aa6

commit 8fbda6c4cbe2e75f8882ac19653398deb27e0aa6
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-04-01 08:42:59 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-04-05 21:25:25 +0000

    media-libs/sdl2-image: CVE-2019-13616 _p20210328
    
    Bug: https://bugs.gentoo.org/772194
    
    Relevant patch is
    Fixed bug 4538 - validate image size when loading BMP files
    https://github.com/libsdl-org/SDL_image/commit/e12c931
    
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/20216
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/sdl2-image/Manifest                     |  1 +
 media-libs/sdl2-image/metadata.xml                 |  4 ++
 .../sdl2-image/sdl2-image-2.0.5_p20210328.ebuild   | 62 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)

Comment 11 John Helmert III archtester

2021-04-06 00:01:50 UTC

Thanks! Please stabilize when ready.

Comment 12 NATTkA bot gentoo-dev

2021-04-06 00:04:24 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/sdl-image-1.2.12_p20210308

Comment 13 NATTkA bot gentoo-dev

2021-04-06 00:08:29 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 14 Sam James archtester

2021-05-16 07:57:57 UTC

Should be ready but let's be slow to clean up.

Comment 15 Sam James archtester

2021-05-16 18:53:37 UTC

x86 done

Comment 16 Sam James archtester

2021-05-16 18:55:19 UTC

amd64 done

Comment 17 Sam James archtester

2021-05-16 18:59:51 UTC

arm64 done

Comment 18 Sam James archtester

2021-05-16 19:35:30 UTC

arm done

Comment 19 Sam James archtester

2021-05-17 01:10:19 UTC

ppc64 done

Comment 20 Sam James archtester

2021-05-17 01:10:23 UTC

ppc done

Comment 21 Sam James archtester

2021-05-17 01:36:52 UTC

sparc done

all arches done

Comment 22 John Helmert III archtester

2021-05-18 01:44:35 UTC

Please cleanup

Comment 23 Larry the Git Cow gentoo-dev

2021-07-25 01:36:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4020ec8a3d7dbefeb4f388a633d1dedefe093333

commit 4020ec8a3d7dbefeb4f388a633d1dedefe093333
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2021-07-25 00:42:10 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-07-25 01:35:08 +0000

    media-libs/sdl2-image: drop vulnerable 2.0.5
    
    Bug: https://bugs.gentoo.org/772194
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-libs/sdl2-image/Manifest                |  1 -
 media-libs/sdl2-image/sdl2-image-2.0.5.ebuild | 61 ---------------------------
 2 files changed, 62 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6be869a20f381fb84f2c32dd382547b4465a6a1a

commit 6be869a20f381fb84f2c32dd382547b4465a6a1a
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2021-07-25 00:41:08 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-07-25 01:35:08 +0000

    media-libs/sdl-image: drop vulnerable 1.2.12-r2
    
    Bug: https://bugs.gentoo.org/772194
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-libs/sdl-image/Manifest                   |  1 -
 media-libs/sdl-image/sdl-image-1.2.12-r2.ebuild | 60 -------------------------
 2 files changed, 61 deletions(-)