Bug 22967

Summary: SDL_image new security issues CVE-2017-12122, CVE-2017-1444[0128], CVE-2017-14450, CVE-2018-383[7-9]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, marja11, shlomif, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Source RPM: SDL_image-1.2.12-9.1.mga6.src.rpm CVE:
Status comment: Patches available from Debian

Description David Walser 2018-04-29 17:53:52 CEST 
Debian has issued an advisory on April 28:
https://www.debian.org/security/2018/dsa-4184

We previously fixed CVE-2017-2887, but the other issues are new.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-29 17:53:59 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-05-01 08:48:02 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

David Walser 2018-05-04 08:26:32 CEST

Status comment: (none) => Patches available from Debian

Comment 2 Shlomi Fish 2018-05-22 11:58:27 CEST 
Patched package submitted to the BS as 1.2.12-9.2mga6.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2018-05-24 15:08:17 CEST 
libSDL_image1.2_0-1.2.12-9.2.mga6
libSDL_image-devel-1.2.12-9.2.mga6
libSDL_image1.2_0-test-1.2.12-9.2.mga6

from SDL_image-1.2.12-9.2.mga6.src.rpm

from commit http://svnweb.mageia.org/packages?view=revision&revision=1231486

Thanks!  I'll get to the advisory later.
Comment 4 David Walser 2018-06-02 21:30:56 CEST 
Thanks again!  I also pushed the fixes to Mageia 5.  Sorry this took so long.

Advisory:
========================

Updated SDL_image packages fix security vulnerabilities:

Multiple vulnerabilities have been discovered in the image loading library for
Simple DirectMedia Layer 1.2, which could result in denial of service or the
execution of arbitrary code if malformed image files are opened
(CVE-2017-12122, CVE-2017-14440, CVE-2017-14441, CVE-2017-14442,
CVE-2017-14448, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3839
https://www.debian.org/security/2018/dsa-4184
========================

Updated packages in core/updates_testing:
========================
libSDL_image1.2_0-1.2.12-8.2.mga5
libSDL_image-devel-1.2.12-8.2.mga5
libSDL_image1.2_0-test-1.2.12-8.2.mga5
libSDL_image1.2_0-1.2.12-9.2.mga6
libSDL_image-devel-1.2.12-9.2.mga6
libSDL_image1.2_0-test-1.2.12-9.2.mga6

from SRPMS:
SDL_image-1.2.12-8.2.mga5.src.rpm
SDL_image-1.2.12-9.2.mga6.src.rpm

CC: (none) => shlomif
Whiteboard: (none) => MGA5TOO
Assignee: shlomif => qa-bugs

Comment 5 Herman Viaene 2018-06-04 10:51:14 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref bug 22650 Comments 10 and 11 for tests
Used grafx2 to display a jpeg file and save it as a png.
Viewing results with ristretto clearly shows the reduction of number of colors in the png file. The jpg file was 4.5Mb, the resulting png 2.5Mb.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 6 Len Lawrence 2018-06-06 00:52:01 CEST 
If nobody else does, I shall run this by Mageia 6 tomorrow.

CC: (none) => tarazed25

Dave Hodgins 2018-06-06 06:12:17 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Herman Viaene 2018-06-06 09:56:10 CEST 
MGA6-32
I don't see the updated packages. Usually the Belgian mirror is at most 24h behind, but not that much. And I've been able to do the MGA5 test????
Comment 8 Dave Hodgins 2018-06-06 10:10:14 CEST 
$ urpmq -i lib64SDL_image1.2_0|grep ^Source |sort -V|tail -n 1
Source RPM  : SDL_image-1.2.12-9.2.mga6.src.rpm
(This is with the princeton mirror)
$ rpm -q -i lib64SDL_image1.2_0|grep 'Build Date'
Build Date  : 2018-05-22T05:49:47 EDT

Note that on 32 bit, libSDL_image1.2_0 is available from
SDL_image-1.2.12-9.2.mga6.src.rpm

Tested with tuxpaint. Validating the update

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-06-06 20:16:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0276.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED