Bug 22967 - SDL_image new security issues CVE-2017-12122, CVE-2017-1444[0128], CVE-2017-14450, CVE-2018-383[7-9]
Summary: SDL_image new security issues CVE-2017-12122, CVE-2017-1444[0128], CVE-2017-1...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-04-29 17:53 CEST by David Walser
Modified: 2018-06-06 20:16 CEST (History)
6 users (show)

See Also:
Source RPM: SDL_image-1.2.12-9.1.mga6.src.rpm
CVE:
Status comment: Patches available from Debian


Attachments

Description David Walser 2018-04-29 17:53:52 CEST
Debian has issued an advisory on April 28:
https://www.debian.org/security/2018/dsa-4184

We previously fixed CVE-2017-2887, but the other issues are new.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-04-29 17:53:59 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-05-01 08:48:02 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => shlomif
CC: (none) => marja11

David Walser 2018-05-04 08:26:32 CEST

Status comment: (none) => Patches available from Debian

Comment 2 Shlomi Fish 2018-05-22 11:58:27 CEST
Patched package submitted to the BS as 1.2.12-9.2mga6.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2018-05-24 15:08:17 CEST
libSDL_image1.2_0-1.2.12-9.2.mga6
libSDL_image-devel-1.2.12-9.2.mga6
libSDL_image1.2_0-test-1.2.12-9.2.mga6

from SDL_image-1.2.12-9.2.mga6.src.rpm

from commit http://svnweb.mageia.org/packages?view=revision&revision=1231486

Thanks!  I'll get to the advisory later.
Comment 4 David Walser 2018-06-02 21:30:56 CEST
Thanks again!  I also pushed the fixes to Mageia 5.  Sorry this took so long.

Advisory:
========================

Updated SDL_image packages fix security vulnerabilities:

Multiple vulnerabilities have been discovered in the image loading library for
Simple DirectMedia Layer 1.2, which could result in denial of service or the
execution of arbitrary code if malformed image files are opened
(CVE-2017-12122, CVE-2017-14440, CVE-2017-14441, CVE-2017-14442,
CVE-2017-14448, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3837
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3839
https://www.debian.org/security/2018/dsa-4184
========================

Updated packages in core/updates_testing:
========================
libSDL_image1.2_0-1.2.12-8.2.mga5
libSDL_image-devel-1.2.12-8.2.mga5
libSDL_image1.2_0-test-1.2.12-8.2.mga5
libSDL_image1.2_0-1.2.12-9.2.mga6
libSDL_image-devel-1.2.12-9.2.mga6
libSDL_image1.2_0-test-1.2.12-9.2.mga6

from SRPMS:
SDL_image-1.2.12-8.2.mga5.src.rpm
SDL_image-1.2.12-9.2.mga6.src.rpm

CC: (none) => shlomif
Whiteboard: (none) => MGA5TOO
Assignee: shlomif => qa-bugs

Comment 5 Herman Viaene 2018-06-04 10:51:14 CEST
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref bug 22650 Comments 10 and 11 for tests
Used grafx2 to display a jpeg file and save it as a png.
Viewing results with ristretto clearly shows the reduction of number of colors in the png file. The jpg file was 4.5Mb, the resulting png 2.5Mb.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 6 Len Lawrence 2018-06-06 00:52:01 CEST
If nobody else does, I shall run this by Mageia 6 tomorrow.

CC: (none) => tarazed25

Dave Hodgins 2018-06-06 06:12:17 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Herman Viaene 2018-06-06 09:56:10 CEST
MGA6-32
I don't see the updated packages. Usually the Belgian mirror is at most 24h behind, but not that much. And I've been able to do the MGA5 test????
Comment 8 Dave Hodgins 2018-06-06 10:10:14 CEST
$ urpmq -i lib64SDL_image1.2_0|grep ^Source |sort -V|tail -n 1
Source RPM  : SDL_image-1.2.12-9.2.mga6.src.rpm
(This is with the princeton mirror)
$ rpm -q -i lib64SDL_image1.2_0|grep 'Build Date'
Build Date  : 2018-05-22T05:49:47 EDT

Note that on 32 bit, libSDL_image1.2_0 is available from
SDL_image-1.2.12-9.2.mga6.src.rpm

Tested with tuxpaint. Validating the update

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2018-06-06 20:16:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0276.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.