Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 772194 - <media-libs/libsdl{,2}-image-{1.2.12_p20210314, 2.0.5_p20210328}: heap buffer overread (CVE-2019-13616)
Summary: <media-libs/libsdl{,2}-image-{1.2.12_p20210314, 2.0.5_p20210328}: heap buffer...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords: PullRequest
Depends on: 774024
Blocks: CVE-2019-13616, CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7638
  Show dependency tree
 
Reported: 2021-02-22 22:04 UTC by John Helmert III
Modified: 2021-07-25 06:10 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/sdl-image-1.2.12_p20210314 media-libs/sdl2-image-2.0.5_p20210328 amd64 arm arm64 ppc sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-22 22:04:59 UTC
CVE-2019-13616: 

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.

Patch: https://github.com/libsdl-org/SDL_image/commit/e12c931e5bb260821ac7f11833eb627331779dcf
Comment 1 Larry the Git Cow gentoo-dev 2021-03-06 08:52:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a336de7c0ccd1263d27555be703dcfdfaa3d568

commit 8a336de7c0ccd1263d27555be703dcfdfaa3d568
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-03 17:32:46 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-03-06 08:52:11 +0000

    media-libs/libsdl: multiple CVEs v1.2.15_p20210224
    
    Bug: https://bugs.gentoo.org/772194
    Bug: https://bugs.gentoo.org/692388
    
    EAPI 7
    Bug: https://bugs.gentoo.org/774024
    
    Dropping older patches included in snapshot
    
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/19733
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/libsdl/Manifest                         |   1 +
 .../libsdl/files/libsdl-1.2.15-sdl-config.patch    |   4 +-
 media-libs/libsdl/libsdl-1.2.15_p20210224.ebuild   | 139 +++++++++++++++++++++
 3 files changed, 142 insertions(+), 2 deletions(-)
Comment 2 Sam James archtester gentoo-dev Security 2021-03-09 22:46:51 UTC
@vaukai, this one isn't fixed yet, right?
Comment 3 Volkmar W. Pogatzki 2021-03-10 06:29:11 UTC
(In reply to Sam James from comment #2)
> @vaukai, this one isn't fixed yet, right?


Let me check:

git clone https://github.com/libsdl-org/SDL-1.2/ && cd SDL-1.2

tmp/SDL-1.2 $ git show 31a87d75

commit 31a87d75f15c7acd9470fab9ceb129c0a255871f
Author: Ozkan Sezer <sezeroz@gmail.com>
Date:   Tue Jul 30 21:30:24 2019 +0300

    Fixed bug 4538 - validate image size when loading BMP files

diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index 758d4bbc..6cadc8a5 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -143,6 +143,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
        (void) biYPelsPerMeter;
        (void) biClrImportant;
 
+       if (biWidth <= 0 || biHeight == 0) {
+               SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
+               was_error = SDL_TRUE;
+               goto done;
+       }
        if (biHeight < 0) {
                topDown = SDL_TRUE;
                biHeight = -biHeight;


So the fix is included in the snapshot.  
That's why I think v1.2.15_p20210224 should be stabliilized asap.
Comment 4 Sam James archtester gentoo-dev Security 2021-03-10 06:33:38 UTC
Thanks for checking! But we package SDL-Image separately?
Comment 5 Volkmar W. Pogatzki 2021-03-10 07:18:37 UTC
(In reply to Sam James from comment #4)
> Thanks for checking! But we package SDL-Image separately?

What's "SDL-Image"?

Should be marked "RESOLVED DUPLICATE" of https://bugs.gentoo.org/692388
(CVE-2019-{7572,7573,7574,7575,7576,7577,7578,7635,7636,7638,13616})
Comment 6 Volkmar W. Pogatzki 2021-03-10 07:25:18 UTC
Mea culpa. Sorry for confusion.
I didn't even see the "-image" part in "media-libs/libsdl{,2}-image:", sorry.
Comment 7 Larry the Git Cow gentoo-dev 2021-03-31 22:41:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54d2c207b4e88fb14ca7b39246ea7c938c983d3d

commit 54d2c207b4e88fb14ca7b39246ea7c938c983d3d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-10 09:17:53 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-03-31 22:33:28 +0000

    media-libs/sdl-image: CVE-2019-13616 v1.2.12_p20210308
    
    Bug: https://bugs.gentoo.org/772194
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/19863
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/sdl-image/Manifest                      |  1 +
 .../sdl-image/sdl-image-1.2.12_p20210308.ebuild    | 59 ++++++++++++++++++++++
 2 files changed, 60 insertions(+)
Comment 8 John Helmert III gentoo-dev Security 2021-04-01 02:30:24 UTC
sdl2-image is affected too, right?
Comment 9 Volkmar W. Pogatzki 2021-04-01 08:48:44 UTC
(In reply to John Helmert III from comment #8)
> sdl2-image is affected too, right?

Bug list of sdl2-image should tell
https://bugs.gentoo.org/buglist.cgi?quicksearch=media-libs%2Fsdl2-image&list_id=5378424

Someone please adjust the bug title
Comment 10 Larry the Git Cow gentoo-dev 2021-04-05 21:28:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fbda6c4cbe2e75f8882ac19653398deb27e0aa6

commit 8fbda6c4cbe2e75f8882ac19653398deb27e0aa6
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-04-01 08:42:59 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-04-05 21:25:25 +0000

    media-libs/sdl2-image: CVE-2019-13616 _p20210328
    
    Bug: https://bugs.gentoo.org/772194
    
    Relevant patch is
    Fixed bug 4538 - validate image size when loading BMP files
    https://github.com/libsdl-org/SDL_image/commit/e12c931
    
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/20216
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/sdl2-image/Manifest                     |  1 +
 media-libs/sdl2-image/metadata.xml                 |  4 ++
 .../sdl2-image/sdl2-image-2.0.5_p20210328.ebuild   | 62 ++++++++++++++++++++++
 3 files changed, 67 insertions(+)
Comment 11 John Helmert III gentoo-dev Security 2021-04-06 00:01:50 UTC
Thanks! Please stabilize when ready.
Comment 12 NATTkA bot gentoo-dev 2021-04-06 00:04:24 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-04-06 00:08:29 UTC Comment hidden (obsolete)
Comment 14 Sam James archtester gentoo-dev Security 2021-05-16 07:57:57 UTC
Should be ready but let's be slow to clean up.
Comment 15 Sam James archtester gentoo-dev Security 2021-05-16 18:53:37 UTC
x86 done
Comment 16 Sam James archtester gentoo-dev Security 2021-05-16 18:55:19 UTC
amd64 done
Comment 17 Sam James archtester gentoo-dev Security 2021-05-16 18:59:51 UTC
arm64 done
Comment 18 Sam James archtester gentoo-dev Security 2021-05-16 19:35:30 UTC
arm done
Comment 19 Sam James archtester gentoo-dev Security 2021-05-17 01:10:19 UTC
ppc64 done
Comment 20 Sam James archtester gentoo-dev Security 2021-05-17 01:10:23 UTC
ppc done
Comment 21 Sam James archtester gentoo-dev Security 2021-05-17 01:36:52 UTC
sparc done

all arches done
Comment 22 John Helmert III gentoo-dev Security 2021-05-18 01:44:35 UTC
Please cleanup
Comment 23 Larry the Git Cow gentoo-dev 2021-07-25 01:36:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4020ec8a3d7dbefeb4f388a633d1dedefe093333

commit 4020ec8a3d7dbefeb4f388a633d1dedefe093333
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2021-07-25 00:42:10 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-07-25 01:35:08 +0000

    media-libs/sdl2-image: drop vulnerable 2.0.5
    
    Bug: https://bugs.gentoo.org/772194
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-libs/sdl2-image/Manifest                |  1 -
 media-libs/sdl2-image/sdl2-image-2.0.5.ebuild | 61 ---------------------------
 2 files changed, 62 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6be869a20f381fb84f2c32dd382547b4465a6a1a

commit 6be869a20f381fb84f2c32dd382547b4465a6a1a
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2021-07-25 00:41:08 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-07-25 01:35:08 +0000

    media-libs/sdl-image: drop vulnerable 1.2.12-r2
    
    Bug: https://bugs.gentoo.org/772194
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-libs/sdl-image/Manifest                   |  1 -
 media-libs/sdl-image/sdl-image-1.2.12-r2.ebuild | 60 -------------------------
 2 files changed, 61 deletions(-)