Bug 22650 - SDL_image new security issue CVE-2017-2887
Summary: SDL_image new security issue CVE-2017-2887
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-24 23:04 CET by David Walser
Modified: 2018-03-19 13:14 CET (History)
3 users (show)

See Also:
Source RPM: SDL_image-1.2.12-9.mga6, mingw-SDL_image-1.2.12-13.mga6
CVE: CVE-2017-2887
Status comment: Patch available from openSUSE


Attachments
strace output from sdlshow (35.61 KB, application/octet-stream)
2018-03-14 23:15 CET, Len Lawrence
Details

Description David Walser 2018-02-24 23:04:41 CET
openSUSE has issued an advisory on February 20:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html

We initially fixed this in SDL2_image in Bug 21881, but SDL_image is also affected.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-24 23:05:54 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-25 00:00:51 CET

Status comment: (none) => Patch available from openSUSE

Comment 1 Rémi Verschelde 2018-03-14 09:45:00 CET
Thanks David, fixed in Cauldron with the patch from openSUSE, and here's the advisory for Mageia 6:

Advisory:
=========

Updated SDL_image packages fix security vulnerability

  A specially crafted file could have been used to cause a stack overflow
  resulting in potential code execution (CVE-2017-2887).

References:
 - https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html

RPMs in core/updates_testing:
=============================

lib(64)SDL_image1.2_0-1.2.12-9.1.mga6
lib(64)SDL_image-devel-1.2.12-9.1.mga6
lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6

SRPM in core/updates_testing:
=============================

SDL_image-1.2.12-9.1.mga6

CVE: (none) => CVE-2017-2887
Version: Cauldron => 6
Assignee: rverschelde => qa-bugs
QA Contact: security => rverschelde
Whiteboard: MGA6TOO => (none)

Comment 2 Rémi Verschelde 2018-03-14 09:48:04 CET
Testing procedure:
==================

The easiest is to run applications using lib(64)SDL_image1.2_0 to load images; we have many (mainly games) you can choose from:

$ urpmq --whatrequires lib64SDL_image1.2_0
airstrike
angband
aranym
armagetron
asc
assaultcube
beret
berusky
berusky2
bloboats
brainparty
brutalchess
btanks
bugsquish
bumprace
burgerspace
chroma
circuslinux
clanbomber
csmash
cube-escape
dreamchess
edgar
egoboo
enigma
erlang-esdl
fillets-ng
flare
flaw
freedink
freedroid
freedroidrpg
gearhead-sdl
globulation2
grafx2
harris
hedgewars
hex-a-hop
holotz-castle
kobodeluxe
lib64SDL_image-devel
lib64SDL_image1.2_0
lib64SDL_image1.2_0-test
lib64flatzebra2
lib64guichan0.8.1_1
lib64t4k_common0
libbpg
lincity-ng
manaplus
meandmyshadow
megamario
mirrormagic
moleinvasion
mures
navit-graphics-sdl
ocaml-sdl
openmortal
openxcom
penguin-command
perl-SDL
phun
pinball
pingus
prboom-plus
python-pygame
ruby-SDL
sauerbraten
sdl-ball
sdlbrt
sdljava
tecnoballz
tong
trackballs
tsc
tuxmath
tuxpaint
tuxtype
ultimatestunts
valyriatear
vlc-plugin-sdl
vlc-plugin-sdl
warmux
wesnoth
wizznic
xlogical
xsoldier
zaz

Keywords: (none) => has_procedure

Comment 3 Rémi Verschelde 2018-03-14 09:56:46 CET
mingw-SDL_image also needed to be patched similarly, so adding it to the advisory.

If the native Linux version (lib(64)SDL_image1.2_0) works as expected, there's no reason the Windows DLL (mingw32- and mingw64- flavours) would not work, so I don't think those two require much testing.


Advisory:
=========

Updated SDL_image packages fix security vulnerability

  A specially crafted file could have been used to cause a stack overflow
  resulting in potential code execution (CVE-2017-2887).

References:
 - https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html

RPMs in core/updates_testing:
=============================

lib(64)SDL_image1.2_0-1.2.12-9.1.mga6
lib(64)SDL_image-devel-1.2.12-9.1.mga6
lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6
mingw32-SDL_image-1.2.12-13.1.mga6
mingw64-SDL_image-1.2.12-13.1.mga6

SRPM in core/updates_testing:
=============================

mingw-SDL_image-1.2.12-13.1.mga6
SDL_image-1.2.12-9.1.mga6

Source RPM: SDL_image-1.2.12-9.mga6.src.rpm => SDL_image-1.2.12-9.mga6, mingw-SDL_image-1.2.12-13.mga6

Comment 4 Rémi Verschelde 2018-03-14 10:00:38 CET
Last update to the advisory as I found https://www.suse.com/security/cve/CVE-2017-2887/ to be a better reference.

It also makes it clear that the vulnerability affects XCF files (like bug 21881), so it could be tested by displaying XCF files using `sdlshow` from the `lib(64)SDL_image1.2_0-test` package.


Advisory:
=========

Updated SDL_image packages fix security vulnerability

  An exploitable buffer overflow vulnerability exists in the XCF property
  handling functionality of SDL_image 2.0.1. A specially crafted xcf file
  can cause a stack-based buffer overflow resulting in potential code
  execution. An attacker can provide a specially crafted XCF file to trigger
  this vulnerability (CVE-2017-2887).

References:
 - https://www.suse.com/security/cve/CVE-2017-2887/

RPMs in core/updates_testing:
=============================

lib(64)SDL_image1.2_0-1.2.12-9.1.mga6
lib(64)SDL_image-devel-1.2.12-9.1.mga6
lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6
mingw32-SDL_image-1.2.12-13.1.mga6
mingw64-SDL_image-1.2.12-13.1.mga6

SRPM in core/updates_testing:
=============================

mingw-SDL_image-1.2.12-13.1.mga6
SDL_image-1.2.12-9.1.mga6
Comment 5 Len Lawrence 2018-03-14 22:56:02 CET
Mageia 6 :: x86_64

Installed any missing packages then tried sdlshow on a couple of files which were imported as JPEGs into the GIMP and exported as XCF.  The XCF files displayed OK with ImageMagick but sdlshow showed a blank rectangle each time.

Updated the packages and tried again.
The xcf files still displayed as blank panels.

sdlshow displays images downloaded from the web which are described as specimen XCF files but which in fact come down as JPEGs.  The headers contain the string 'JFIF'.  The XCF files from GIMP are identified by 'gimp xcf'.

Don't know what to make of this.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2018-03-14 23:05:04 CET
There are errors on loading the .xcf file into GIMP ending with this:

"(gimp:3572): LibGimpBase-WARNING **: gimp: gimp_wire_read(): error
GIMP-Error: Calling error for procedure 'gimp-procedural-db-proc-info':
Procedure 'gimp--gimp-append-data' not found"

The image looks OK.

On closing the GIMP, this message:

"HMM....
Something strange is happening,
malloc and free function pointer changing between invocations in babl."
Comment 7 Len Lawrence 2018-03-14 23:15:33 CET
Created attachment 10044 [details]
strace output from sdlshow
Comment 8 David Walser 2018-03-15 14:57:33 CET
Due to the broad impact of this one, I would like to see it updated for Mageia 5 as well.  I'd do it myself, but I still don't have access to SSH/SVN.
Comment 9 David Walser 2018-03-15 20:01:38 CET
Mageia 5 update provided as well.

libSDL_image1.2_0-1.2.12-8.1.mga5
libSDL_image-devel-1.2.12-8.1.mga5
libSDL_image1.2_0-test-1.2.12-8.1.mga5

from SDL_image-1.2.12-8.1.mga5.src.rpm

Whiteboard: (none) => MGA5TOO

Comment 10 Len Lawrence 2018-03-15 22:46:00 CET
There are a lot of applications which use the SDL image library, many of them games.  One image editor is grafx2.

$ strace grafx2 /fom/pad/sunset.xcf 2> trace

grafx2 uses a canvas of fixed size which is too small to show the whole image but it displayed OK.

$ cat trace | grep SDL
open("/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_image-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

Spent a couple of minutes with games pingus and mirrormagic.  They looked like they were working and displaying animated images fine.

This may be enough for an OK for mga6 x86_64.
Comment 11 David Walser 2018-03-15 23:03:27 CET
Thanks Len, grafx2 looks to do the job.  My test images were small so it showed them with plenty of leftover space.

$ strace -o /tmp/grafx2.out grafx2 walser/img/luigi/luigi.xcf
$ grep SDL /tmp/grafx2.out 
open("/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_image-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libSDL_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 12 Lewis Smith 2018-03-17 20:20:29 CET
Advisory from comments 4 & 9.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

David Walser 2018-03-17 20:27:44 CET

QA Contact: rverschelde => security
CC: (none) => rverschelde

Comment 13 Mageia Robot 2018-03-19 13:14:14 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0170.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.