openSUSE has issued an advisory on February 20: https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html We initially fixed this in SDL2_image in Bug 21881, but SDL_image is also affected. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patch available from openSUSE
Thanks David, fixed in Cauldron with the patch from openSUSE, and here's the advisory for Mageia 6: Advisory: ========= Updated SDL_image packages fix security vulnerability A specially crafted file could have been used to cause a stack overflow resulting in potential code execution (CVE-2017-2887). References: - https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html RPMs in core/updates_testing: ============================= lib(64)SDL_image1.2_0-1.2.12-9.1.mga6 lib(64)SDL_image-devel-1.2.12-9.1.mga6 lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6 SRPM in core/updates_testing: ============================= SDL_image-1.2.12-9.1.mga6
Version: Cauldron => 6Assignee: rverschelde => qa-bugsQA Contact: security => rverscheldeWhiteboard: MGA6TOO => (none)CVE: (none) => CVE-2017-2887
Testing procedure: ================== The easiest is to run applications using lib(64)SDL_image1.2_0 to load images; we have many (mainly games) you can choose from: $ urpmq --whatrequires lib64SDL_image1.2_0 airstrike angband aranym armagetron asc assaultcube beret berusky berusky2 bloboats brainparty brutalchess btanks bugsquish bumprace burgerspace chroma circuslinux clanbomber csmash cube-escape dreamchess edgar egoboo enigma erlang-esdl fillets-ng flare flaw freedink freedroid freedroidrpg gearhead-sdl globulation2 grafx2 harris hedgewars hex-a-hop holotz-castle kobodeluxe lib64SDL_image-devel lib64SDL_image1.2_0 lib64SDL_image1.2_0-test lib64flatzebra2 lib64guichan0.8.1_1 lib64t4k_common0 libbpg lincity-ng manaplus meandmyshadow megamario mirrormagic moleinvasion mures navit-graphics-sdl ocaml-sdl openmortal openxcom penguin-command perl-SDL phun pinball pingus prboom-plus python-pygame ruby-SDL sauerbraten sdl-ball sdlbrt sdljava tecnoballz tong trackballs tsc tuxmath tuxpaint tuxtype ultimatestunts valyriatear vlc-plugin-sdl vlc-plugin-sdl warmux wesnoth wizznic xlogical xsoldier zaz
Keywords: (none) => has_procedure
mingw-SDL_image also needed to be patched similarly, so adding it to the advisory. If the native Linux version (lib(64)SDL_image1.2_0) works as expected, there's no reason the Windows DLL (mingw32- and mingw64- flavours) would not work, so I don't think those two require much testing. Advisory: ========= Updated SDL_image packages fix security vulnerability A specially crafted file could have been used to cause a stack overflow resulting in potential code execution (CVE-2017-2887). References: - https://lists.opensuse.org/opensuse-updates/2018-02/msg00074.html RPMs in core/updates_testing: ============================= lib(64)SDL_image1.2_0-1.2.12-9.1.mga6 lib(64)SDL_image-devel-1.2.12-9.1.mga6 lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6 mingw32-SDL_image-1.2.12-13.1.mga6 mingw64-SDL_image-1.2.12-13.1.mga6 SRPM in core/updates_testing: ============================= mingw-SDL_image-1.2.12-13.1.mga6 SDL_image-1.2.12-9.1.mga6
Source RPM: SDL_image-1.2.12-9.mga6.src.rpm => SDL_image-1.2.12-9.mga6, mingw-SDL_image-1.2.12-13.mga6
Last update to the advisory as I found https://www.suse.com/security/cve/CVE-2017-2887/ to be a better reference. It also makes it clear that the vulnerability affects XCF files (like bug 21881), so it could be tested by displaying XCF files using `sdlshow` from the `lib(64)SDL_image1.2_0-test` package. Advisory: ========= Updated SDL_image packages fix security vulnerability An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability (CVE-2017-2887). References: - https://www.suse.com/security/cve/CVE-2017-2887/ RPMs in core/updates_testing: ============================= lib(64)SDL_image1.2_0-1.2.12-9.1.mga6 lib(64)SDL_image-devel-1.2.12-9.1.mga6 lib(64)SDL_image1.2_0-test-1.2.12-9.1.mga6 mingw32-SDL_image-1.2.12-13.1.mga6 mingw64-SDL_image-1.2.12-13.1.mga6 SRPM in core/updates_testing: ============================= mingw-SDL_image-1.2.12-13.1.mga6 SDL_image-1.2.12-9.1.mga6
Mageia 6 :: x86_64 Installed any missing packages then tried sdlshow on a couple of files which were imported as JPEGs into the GIMP and exported as XCF. The XCF files displayed OK with ImageMagick but sdlshow showed a blank rectangle each time. Updated the packages and tried again. The xcf files still displayed as blank panels. sdlshow displays images downloaded from the web which are described as specimen XCF files but which in fact come down as JPEGs. The headers contain the string 'JFIF'. The XCF files from GIMP are identified by 'gimp xcf'. Don't know what to make of this.
CC: (none) => tarazed25
There are errors on loading the .xcf file into GIMP ending with this: "(gimp:3572): LibGimpBase-WARNING **: gimp: gimp_wire_read(): error GIMP-Error: Calling error for procedure 'gimp-procedural-db-proc-info': Procedure 'gimp--gimp-append-data' not found" The image looks OK. On closing the GIMP, this message: "HMM.... Something strange is happening, malloc and free function pointer changing between invocations in babl."
Created attachment 10044 [details] strace output from sdlshow
Due to the broad impact of this one, I would like to see it updated for Mageia 5 as well. I'd do it myself, but I still don't have access to SSH/SVN.
Mageia 5 update provided as well. libSDL_image1.2_0-1.2.12-8.1.mga5 libSDL_image-devel-1.2.12-8.1.mga5 libSDL_image1.2_0-test-1.2.12-8.1.mga5 from SDL_image-1.2.12-8.1.mga5.src.rpm
Whiteboard: (none) => MGA5TOO
There are a lot of applications which use the SDL image library, many of them games. One image editor is grafx2. $ strace grafx2 /fom/pad/sunset.xcf 2> trace grafx2 uses a canvas of fixed size which is too small to show the whole image but it displayed OK. $ cat trace | grep SDL open("/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libSDL_image-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libSDL_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 Spent a couple of minutes with games pingus and mirrormagic. They looked like they were working and displaying animated images fine. This may be enough for an OK for mga6 x86_64.
Thanks Len, grafx2 looks to do the job. My test images were small so it showed them with plenty of leftover space. $ strace -o /tmp/grafx2.out grafx2 walser/img/luigi/luigi.xcf $ grep SDL /tmp/grafx2.out open("/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libSDL_image-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3 open("/lib64/libSDL_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA6-64-OK
Advisory from comments 4 & 9.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
CC: (none) => rverscheldeQA Contact: rverschelde => security
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0170.html
Status: NEW => RESOLVEDResolution: (none) => FIXED