| Summary: | SDL_image new security issue CVE-2017-2887 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | rverschelde, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-64-OK MGA6-64-OK | ||
| Source RPM: | SDL_image-1.2.12-9.mga6, mingw-SDL_image-1.2.12-13.mga6 | CVE: | CVE-2017-2887 |
| Status comment: | Patch available from openSUSE | ||
| Attachments: | strace output from sdlshow | ||
|
Description
David Walser
2018-02-24 23:04:41 CET
David Walser
2018-02-24 23:05:54 CET
Whiteboard:
(none) =>
MGA6TOO
David Walser
2018-02-25 00:00:51 CET
Status comment:
(none) =>
Patch available from openSUSE Thanks David, fixed in Cauldron with the patch from openSUSE, and here's the advisory for Mageia 6: Advisory: ========= Updated SDL_image packages fix security vulnerability A specially crafted file could have been used to cause a stack overflow resulting in potential code execution (CVE-2017-2887). References: - https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html RPMs in core/updates_testing: ============================= lib(64)SDL_image1.2_0-1.2.12-9.1.mga6 lib(64)SDL_image-devel-1.2.12-9.1.mga6 lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6 SRPM in core/updates_testing: ============================= SDL_image-1.2.12-9.1.mga6 CVE:
(none) =>
CVE-2017-2887 Testing procedure: ================== The easiest is to run applications using lib(64)SDL_image1.2_0 to load images; we have many (mainly games) you can choose from: $ urpmq --whatrequires lib64SDL_image1.2_0 airstrike angband aranym armagetron asc assaultcube beret berusky berusky2 bloboats brainparty brutalchess btanks bugsquish bumprace burgerspace chroma circuslinux clanbomber csmash cube-escape dreamchess edgar egoboo enigma erlang-esdl fillets-ng flare flaw freedink freedroid freedroidrpg gearhead-sdl globulation2 grafx2 harris hedgewars hex-a-hop holotz-castle kobodeluxe lib64SDL_image-devel lib64SDL_image1.2_0 lib64SDL_image1.2_0-test lib64flatzebra2 lib64guichan0.8.1_1 lib64t4k_common0 libbpg lincity-ng manaplus meandmyshadow megamario mirrormagic moleinvasion mures navit-graphics-sdl ocaml-sdl openmortal openxcom penguin-command perl-SDL phun pinball pingus prboom-plus python-pygame ruby-SDL sauerbraten sdl-ball sdlbrt sdljava tecnoballz tong trackballs tsc tuxmath tuxpaint tuxtype ultimatestunts valyriatear vlc-plugin-sdl vlc-plugin-sdl warmux wesnoth wizznic xlogical xsoldier zaz Keywords:
(none) =>
has_procedure mingw-SDL_image also needed to be patched similarly, so adding it to the advisory. If the native Linux version (lib(64)SDL_image1.2_0) works as expected, there's no reason the Windows DLL (mingw32- and mingw64- flavours) would not work, so I don't think those two require much testing. Advisory: ========= Updated SDL_image packages fix security vulnerability A specially crafted file could have been used to cause a stack overflow resulting in potential code execution (CVE-2017-2887). References: - https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html RPMs in core/updates_testing: ============================= lib(64)SDL_image1.2_0-1.2.12-9.1.mga6 lib(64)SDL_image-devel-1.2.12-9.1.mga6 lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6 mingw32-SDL_image-1.2.12-13.1.mga6 mingw64-SDL_image-1.2.12-13.1.mga6 SRPM in core/updates_testing: ============================= mingw-SDL_image-1.2.12-13.1.mga6 SDL_image-1.2.12-9.1.mga6 Source RPM:
SDL_image-1.2.12-9.mga6.src.rpm =>
SDL_image-1.2.12-9.mga6, mingw-SDL_image-1.2.12-13.mga6 Last update to the advisory as I found https://www.suse.com/security/cve/CVE-2017-2887/ to be a better reference. It also makes it clear that the vulnerability affects XCF files (like bug 21881), so it could be tested by displaying XCF files using `sdlshow` from the `lib(64)SDL_image1.2_0-test` package. Advisory: ========= Updated SDL_image packages fix security vulnerability An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability (CVE-2017-2887). References: - https://www.suse.com/security/cve/CVE-2017-2887/ RPMs in core/updates_testing: ============================= lib(64)SDL_image1.2_0-1.2.12-9.1.mga6 lib(64)SDL_image-devel-1.2.12-9.1.mga6 lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6 mingw32-SDL_image-1.2.12-13.1.mga6 mingw64-SDL_image-1.2.12-13.1.mga6 SRPM in core/updates_testing: ============================= mingw-SDL_image-1.2.12-13.1.mga6 SDL_image-1.2.12-9.1.mga6 Mageia 6 :: x86_64 Installed any missing packages then tried sdlshow on a couple of files which were imported as JPEGs into the GIMP and exported as XCF. The XCF files displayed OK with ImageMagick but sdlshow showed a blank rectangle each time. Updated the packages and tried again. The xcf files still displayed as blank panels. sdlshow displays images downloaded from the web which are described as specimen XCF files but which in fact come down as JPEGs. The headers contain the string 'JFIF'. The XCF files from GIMP are identified by 'gimp xcf'. Don't know what to make of this. CC:
(none) =>
tarazed25 There are errors on loading the .xcf file into GIMP ending with this: "(gimp:3572): LibGimpBase-WARNING **: gimp: gimp_wire_read(): error GIMP-Error: Calling error for procedure 'gimp-procedural-db-proc-info': Procedure 'gimp--gimp-append-data' not found" The image looks OK. On closing the GIMP, this message: "HMM.... Something strange is happening, malloc and free function pointer changing between invocations in babl." Created attachment 10044 [details]
strace output from sdlshow
Due to the broad impact of this one, I would like to see it updated for Mageia 5 as well. I'd do it myself, but I still don't have access to SSH/SVN. Mageia 5 update provided as well. libSDL_image1.2_0-1.2.12-8.1.mga5 libSDL_image-devel-1.2.12-8.1.mga5 libSDL_image1.2_0-test-1.2.12-8.1.mga5 from SDL_image-1.2.12-8.1.mga5.src.rpm Whiteboard:
(none) =>
MGA5TOO There are a lot of applications which use the SDL image library, many of them games. One image editor is grafx2.
$ strace grafx2 /fom/pad/sunset.xcf 2> trace
grafx2 uses a canvas of fixed size which is too small to show the whole image but it displayed OK.
$ cat trace | grep SDL
open("/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_image-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
Spent a couple of minutes with games pingus and mirrormagic. They looked like they were working and displaying animated images fine.
This may be enough for an OK for mga6 x86_64.
Thanks Len, grafx2 looks to do the job. My test images were small so it showed them with plenty of leftover space.
$ strace -o /tmp/grafx2.out grafx2 walser/img/luigi/luigi.xcf
$ grep SDL /tmp/grafx2.out
open("/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_image-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3Whiteboard:
MGA5TOO =>
MGA5TOO MGA5-64-OK MGA6-64-OK Advisory from comments 4 & 9. Keywords:
(none) =>
advisory, validated_update
David Walser
2018-03-17 20:27:44 CET
QA Contact:
rverschelde =>
security An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0170.html Status:
NEW =>
RESOLVED |