Bug 22769

Links to the TALOS vulnerability reports below. There are also CVEs assigned, I'll assume we want to use those in the advisory for consistency with other security updates.

- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0488 (CVE-2017-12122)
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0489 (CVE-2017-14440)
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0490 (CVE-2017-14441)
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0491 (CVE-2017-14442)
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0497 (CVE-2017-14448)
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0498 (CVE-2017-14449)
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0499 (CVE-2017-14450)

Severity: major => critical

Mageia 5 is also affected.

Only commandergenius, gource, noteye, pioneerspacesim, solarus, supertux, t-engine4, and vcmi use it there, so the impact is limited.

CC: (none) => luigiwalser

openSUSE has issued an advisory for this today (March 18):
https://lists.opensuse.org/opensuse-updates/2018-03/msg00066.html

They did update to SDL2 2.0.8 and SDL2_image 2.0.3.

Debian has issued an advisory for this on April 20:
https://www.debian.org/security/2018/dsa-4177

It adds CVE-2018-383[7-9].

From bug 23845 comment 0:

> Fedora has issued an advisory today (November 15):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/EKZWW62EOUF3YAAVXXBR3VKGECVCOBDD/
> 
> The issue is fixed upstream in 2.0.4.

This is CVE-2018-3977.

Summary: SDL2_image new security vulnerabilities (TALOS-2017-048[89], TALOS-2017-049[01789]) => SDL2_image new security vulnerabilities (TALOS-2017-048[89], TALOS-2017-049[01789], CVE-2018-3977)

Suggested advisory:
===================

Updated SDL2 stack fixes SDL2_image security vulnerabilities

  This update fixes various security vulnerabilities affecting the SDL2_image
  library, listed below. The fixes are provided in SDL2_image 2.0.4, which
  depends on SDL2 2.0.8 or later. As such, the SDL2 and SDL2_mixer libraries
  are also updated to their current stable releases, providing various bug
  fixes and features.

  The security vulnerabilities fixed in this update are the following:

  An exploitable code execution vulnerability exists in the ILBM image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image
  can cause a heap overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.
  (TALOS-2017-0488, CVE-2017-12122)

  An exploitable code execution vulnerability exists in the ILBM image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image
  can cause a stack overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.
  (TALOS-2017-0489, CVE-2017-14440)

  An exploitable code execution vulnerability exists in the ICO image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image
  can cause an integer overflow, cascading to a heap overflow resulting in
  code execution. An attacker can display a specially crafted image to trigger
  this vulnerability. (TALOS-2017-0490, CVE-2017-14441)

  An exploitable code execution vulnerability exists in the BMP image
  rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image
  can cause a stack overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.
  (TALOS-2017-0491, CVE-2017-14442)

  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image
  can cause a heap overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.
  (TALOS-2017-0497, CVE-2017-14448)

  A double-Free vulnerability exists in the XCF image rendering functionality
  of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free
  situation to occur. An attacker can display a specially crafted image to
  trigger this vulnerability. (TALOS-2017-0498, CVE-2017-14449)

  A buffer overflow vulnerability exists in the GIF image parsing
  functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to
  a buffer overflow on a global section. An attacker can display an image to
  trigger this vulnerability. (TALOS-2017-0499, CVE-2017-14450)

  An exploitable information disclosure vulnerability exists in the PCX image
  rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image
  can cause an out-of-bounds read on the heap, resulting in information
  disclosure. An attacker can display a specially crafted image to trigger
  this vulnerability. (TALOS-2018-0519, CVE-2018-3837)

  An exploitable information vulnerability exists in the XCF image rendering
  functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause
  an out-of-bounds read on the heap, resulting in information disclosure. An
  attacker can display a specially crafted image to trigger this
  vulnerability. (TALOS-2018-0520, CVE-2018-3838)

  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image
  can cause an out-of-bounds write on the heap, resulting in code execution.
  An attacker can display a specially crafted image to trigger this
  vulnerability. (TALOS-2018-0521, CVE-2018-3839)

  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of SDL2_image-2.0.3. A specially crafted XCF image
  can cause a heap overflow, resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.
  (TALOS-2018-0645, CVE-2018-3977)

References:

- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0488
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0489
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0490
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0491
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0497
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0498
- https://talosintelligence.com/vulnerability_reports/TALOS-2017-0499
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0519
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0520
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0521
- https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645
- https://hg.libsdl.org/SDL/file/8feb5da6f2fb/WhatsNew.txt
- https://www.libsdl.org/projects/SDL_image/
- https://www.libsdl.org/projects/SDL_mixer/


SRPMs in core/updates_testing:
==============================

mingw-SDL2-2.0.9-1.mga6
mingw-SDL2_image-2.0.4-1.mga6
mingw-SDL2_mixer-2.0.4-1.mga6

sdl2-2.0.9-1.mga6
sdl2_image-2.0.4-1.mga6
sdl2_mixer-2.0.4-1.mga6

CC: (none) => rverschelde
Assignee: rverschelde => qa-bugs
Summary: SDL2_image new security vulnerabilities (TALOS-2017-048[89], TALOS-2017-049[01789], CVE-2018-3977) => SDL2_image new security vulnerabilities (TALOS-2017-048[89], TALOS-2017-049[01789], TALOS-2018-0519, TALOS-2018-052[01], TALOS-2018-0645)
CVE: (none) => CVE-2017-12122, CVE-2017-14440, CVE-2017-14441, CVE-2017-14442, CVE-2017-14448, CVE-2017-14449, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839, CVE-2018-3977

RPMs in core/updates_testing:
=============================

lib(64)sdl2.0_0-2.0.9-1.mga6
lib(64)sdl2.0-devel-2.0.9-1.mga6
lib(64)sdl2.0-static-devel-2.0.9-1.mga6
sdl2-docs-2.0.9-1.mga6.noarch

lib(64)sdl2_image2.0_0-2.0.4-1.mga6
lib(64)sdl2_image-devel-2.0.4-1.mga6
lib(64)sdl2_image-static-devel-2.0.4-1.mga6
lib(64)sdl2_image2.0_0-test-2.0.4-1.mga6

lib(64)sdl2_mixer2.0_0-2.0.4-1.mga6
lib(64)sdl2_mixer-devel-2.0.4-1.mga6
lib(64)sdl2_mixer-static-devel-2.0.4-1.mga6
sdl2_mixer-player-2.0.4-1.mga6

mingw32-SDL2-2.0.9-1.mga6.noarch
mingw32-SDL2-static-2.0.9-1.mga6.noarch
mingw64-SDL2-2.0.9-1.mga6.noarch
mingw64-SDL2-static-2.0.9-1.mga6.noarch

mingw32-SDL2_mixer-2.0.4-1.mga6.noarch
mingw64-SDL2_mixer-2.0.4-1.mga6.noarch

mingw32-SDL2_image-2.0.4-1.mga6.noarch
mingw64-SDL2_image-2.0.4-1.mga6.noarch

Testing procedure:
==================

IMPORTANT: Those SDL2 libraries are used by various packages (mostly games), so we need to test them to ensure that they still work as expected with those new versions. If they don't, we'll need to rebuild them all.

The best way to test this update is thus to test some of the games that depend on it (list below). You can and should of course not test all of those packages, but launching a handful of them would be good.

You can leave out the mingw* packages which are leaf packages only used to cross-compile Windows binaries from Linux.

---

# List of packages using SDL2, SDL2_image and SDL2_mixer:

blobwars
caveexpress
cavepacker
cdogs-sdl
flare-engine
freeciv-client
hedgewars
meandmyshadow
mirrormagic
noteye
redeclipse
rocksndiamonds
starfighter
tbftss
trackballs
vcmi
wesnoth
widelands

---

# List of packages using SDL2 and SDL2_image, but not SDL2_mixer:

chromium-bsu
colobot
commandergenius
crawl-tiles
fife
gambas3-gb-sdl2
gource
keeperrl
lib64cegui0_2
lib64fife0.4.1
lib64fifechan0.1.4
lib64sdl2_image2.0_0
lib64sdl2_image2.0_0-test
lib64solarus1
numptyphysics
pioneerspacesim
supertux
t-engine4
trigger-rally
vdrift

---

# List of packages using SDL2 and SDL2_mixer, but not SDL2_image:

atomiks
bear-engine
chocolate-doom
corsixth
easyrpg-player
gambas3-gb-sdl2-audio
goatattack
ivan
jumpnbump
lib64lightspark0
lib64sdl2_mixer2.0_0
naev
python2-pysol-sound-server
python3-pysol-sound-server
sdl2_mixer-player
taisei
ufoai
yourik

---

# List of packages using only SDL2, not SDL2_image nor SDL2_mixer:

0ad
7kaa
audacious-plugins
baresip
bitfighter
blender
blobby
digger
dumb
endless-sky
ffmpeg
fizmo
freeorion
fs-uae
gemrb
gpac
gzdoom
hatari
ioquake3
lib64audaspace1
lib64avformat58
lib64gviewrender2.0_2
lib64mpv1
lib64mupen64plus2
lib64myth29
lib64sdl2.0_0
lib64sdl2.0-devel
lib64sdl2_gfx1.0_0
lib64sdl2_net2.0_0
lib64sdl2_ttf2.0_0
lib64sdl2_ttf2.0_0-test
lib64tcod1
lightspark
love
lugaru
m64py
mame
mame-tools
mednafen
megaglest
mgba
mgba-qt
mlt
mpv
mupen64plus
mythtv-frontend
mythtv-plugin-archive
mythtv-plugin-browser
mythtv-plugin-gallery
mythtv-plugin-game
mythtv-plugin-music
mythtv-plugin-netvision
mythtv-plugin-news
mythtv-plugin-weather
mythtv-plugin-zoneminder
neverball
openal
openclonk
openmw
pcsxr
performous
ppsspp
qemu-audio-sdl
qemu-ui-gtk
qemu-ui-sdl
qtgamepad5
scummvm
snes9x-gtk
speed-dreams
spring
stella
stuntrally
warsow
warzone2100
xonotic
yamagi-quake2

---

Note: My lists above are from Cauldron, some of those packages may not exist in Mageia 6 or have different dependencies (e.g. depend on SDL 1.2). You can list packages for yourself with:

urpmq --whatrequires lib64sdl2.0_0 > sdl2
urpmq --whatrequires lib64sdl2_image2.0_0 > sdl2_image
urpmq --whatrequires lib64sdl2_mixer2.0_0 > sdl2_mixer

And you can check intersections between those lists with:
grep -Fx -f sdl2 sdl2_image > sdl2+image
grep -Fx -f sdl2+image sdl2_mixer > sdl2+image+mixer

Other intersections found with `grep -Fxv -f file1 file2` as documented on https://www.commandlinefu.com/commands/view/5710/intersection-between-two-files

Keywords: (none) => has_procedure

*** Bug 23845 has been marked as a duplicate of this bug. ***

Mageia 6, x86_64

Thanks Rémi for the informative note - bookmarking that. 

Installed al 16 64-bit packages including the mingw files to ensure that they could be upgraded cleanly.

Checked a few of the CVEs to see what the Talos analyses came up with.  Nothing there for us to test.

Updated all the packages.

ffmpeg, supertux and mpv already installed.

Installed:

blobwars, cavepacker, hedgewars, rocksndiamonds, starfighter, wesnoth,

fife, pioneerspacesim,

atomiks, goatattack, naev, ufoai,

endless-sky, gemrb, lightspark, neverball

Successfully launched all of the games from the Games menu.  Played a few of them or ran tutorials.
Used ffmpeg to convert an MP3 file to OGG and played the result using mpv.

GemRB failed with a message about a missing config file.

$ lightspark surfacefly_spirit.swf
This failed on the file version:
INFO: SWF version 6 is not handled by lightspark, falling back to gnash (if available)
Tried another SWF file and raised the same complaint about version 6.

Are these tests enough for the updated packages?

CC: (none) => tarazed25

All those tests seem very good yes, thanks.

For ffmpeg, I think SDL2 is only used by the `ffplay` utility included in the package, to spawn a window (and maybe some rendering effects). `ffplay <path/to/file>` should open a window to play it (whether music or video).

gemrb is a libre engine for a proprietary game, so it requires the game's data installed/extracted from the CD, etc., so indeed it needs some manual configuration to be usable and goes beyond the scope of this update's testing.

According to its website, lightspark is still in an alpha state and only supports 60% of Flash's features, so it's probably normal that you can't make it work on your test SWF files.

Right, I'll send this one on its way.
I tried blender as well, not that I know how to drive it.  Looked OK.

Whiteboard: (none) => MGA6-64-OK

Sorry.  Forgot about ffplay.
That worked fine, spawning a window with special effects as the track played.
All pure audio files worked like that.
With an mp4 file the inbuilt video preempted the special effects window.

Validating this in anticipation of the final advisory.
Thanks for your suggested advisory Rémi and for providing so much input on the testing side.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Advisory from comment 6.

CC: (none) => lewyssmith
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0454.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED