| Summary: | <media-libs/libsdl{,2}-image-{1.2.12_p20210314, 2.0.5_p20210328}: heap buffer overread (CVE-2019-13616) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | games, sam |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | Flags: | nattka:
sanity-check+
|
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://github.com/gentoo/gentoo/pull/19733 https://github.com/gentoo/gentoo/pull/19863 https://github.com/gentoo/gentoo/pull/20216 |
||
| Whiteboard: | B4 [glsa+] | ||
| Package list: |
media-libs/sdl-image-1.2.12_p20210314
media-libs/sdl2-image-2.0.5_p20210328 amd64 arm arm64 ppc sparc x86
|
Runtime testing required: | --- |
| Bug Depends on: | 774024 | ||
| Bug Blocks: | 692386 | ||
|
Description
John Helmert III
2021-02-22 22:04:59 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a336de7c0ccd1263d27555be703dcfdfaa3d568 commit 8a336de7c0ccd1263d27555be703dcfdfaa3d568 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-03-03 17:32:46 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2021-03-06 08:52:11 +0000 media-libs/libsdl: multiple CVEs v1.2.15_p20210224 Bug: https://bugs.gentoo.org/772194 Bug: https://bugs.gentoo.org/692388 EAPI 7 Bug: https://bugs.gentoo.org/774024 Dropping older patches included in snapshot Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/19733 Signed-off-by: James Le Cuirot <chewi@gentoo.org> media-libs/libsdl/Manifest | 1 + .../libsdl/files/libsdl-1.2.15-sdl-config.patch | 4 +- media-libs/libsdl/libsdl-1.2.15_p20210224.ebuild | 139 +++++++++++++++++++++ 3 files changed, 142 insertions(+), 2 deletions(-) @vaukai, this one isn't fixed yet, right? (In reply to Sam James from comment #2) > @vaukai, this one isn't fixed yet, right? Let me check: git clone https://github.com/libsdl-org/SDL-1.2/ && cd SDL-1.2 tmp/SDL-1.2 $ git show 31a87d75 commit 31a87d75f15c7acd9470fab9ceb129c0a255871f Author: Ozkan Sezer <sezeroz@gmail.com> Date: Tue Jul 30 21:30:24 2019 +0300 Fixed bug 4538 - validate image size when loading BMP files diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c index 758d4bbc..6cadc8a5 100644 --- a/src/video/SDL_bmp.c +++ b/src/video/SDL_bmp.c @@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc) (void) biYPelsPerMeter; (void) biClrImportant; + if (biWidth <= 0 || biHeight == 0) { + SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); + was_error = SDL_TRUE; + goto done; + } if (biHeight < 0) { topDown = SDL_TRUE; biHeight = -biHeight; So the fix is included in the snapshot. That's why I think v1.2.15_p20210224 should be stabliilized asap. Thanks for checking! But we package SDL-Image separately? (In reply to Sam James from comment #4) > Thanks for checking! But we package SDL-Image separately? What's "SDL-Image"? Should be marked "RESOLVED DUPLICATE" of https://bugs.gentoo.org/692388 (CVE-2019-{7572,7573,7574,7575,7576,7577,7578,7635,7636,7638,13616}) Mea culpa. Sorry for confusion.
I didn't even see the "-image" part in "media-libs/libsdl{,2}-image:", sorry.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d2c207b4e88fb14ca7b39246ea7c938c983d3d commit 54d2c207b4e88fb14ca7b39246ea7c938c983d3d Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-03-10 09:17:53 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2021-03-31 22:33:28 +0000 media-libs/sdl-image: CVE-2019-13616 v1.2.12_p20210308 Bug: https://bugs.gentoo.org/772194 Package-Manager: Portage-3.0.13, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/19863 Signed-off-by: James Le Cuirot <chewi@gentoo.org> media-libs/sdl-image/Manifest | 1 + .../sdl-image/sdl-image-1.2.12_p20210308.ebuild | 59 ++++++++++++++++++++++ 2 files changed, 60 insertions(+) sdl2-image is affected too, right? (In reply to John Helmert III from comment #8) > sdl2-image is affected too, right? Bug list of sdl2-image should tell https://bugs.gentoo.org/buglist.cgi?quicksearch=media-libs%2Fsdl2-image&list_id=5378424 Someone please adjust the bug title The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fbda6c4cbe2e75f8882ac19653398deb27e0aa6 commit 8fbda6c4cbe2e75f8882ac19653398deb27e0aa6 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-04-01 08:42:59 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2021-04-05 21:25:25 +0000 media-libs/sdl2-image: CVE-2019-13616 _p20210328 Bug: https://bugs.gentoo.org/772194 Relevant patch is Fixed bug 4538 - validate image size when loading BMP files https://github.com/libsdl-org/SDL_image/commit/e12c931 Package-Manager: Portage-3.0.17, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/20216 Signed-off-by: James Le Cuirot <chewi@gentoo.org> media-libs/sdl2-image/Manifest | 1 + media-libs/sdl2-image/metadata.xml | 4 ++ .../sdl2-image/sdl2-image-2.0.5_p20210328.ebuild | 62 ++++++++++++++++++++++ 3 files changed, 67 insertions(+) Thanks! Please stabilize when ready. Unable to check for sanity:
> no match for package: media-libs/sdl-image-1.2.12_p20210308
All sanity-check issues have been resolved Should be ready but let's be slow to clean up. x86 done amd64 done arm64 done arm done ppc64 done ppc done sparc done all arches done Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4020ec8a3d7dbefeb4f388a633d1dedefe093333 commit 4020ec8a3d7dbefeb4f388a633d1dedefe093333 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-07-25 00:42:10 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-07-25 01:35:08 +0000 media-libs/sdl2-image: drop vulnerable 2.0.5 Bug: https://bugs.gentoo.org/772194 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> media-libs/sdl2-image/Manifest | 1 - media-libs/sdl2-image/sdl2-image-2.0.5.ebuild | 61 --------------------------- 2 files changed, 62 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6be869a20f381fb84f2c32dd382547b4465a6a1a commit 6be869a20f381fb84f2c32dd382547b4465a6a1a Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2021-07-25 00:41:08 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2021-07-25 01:35:08 +0000 media-libs/sdl-image: drop vulnerable 1.2.12-r2 Bug: https://bugs.gentoo.org/772194 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> media-libs/sdl-image/Manifest | 1 - media-libs/sdl-image/sdl-image-1.2.12-r2.ebuild | 60 ------------------------- 2 files changed, 61 deletions(-) |