Bug 25767 - sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[7-9], CVE-2019-1222[0-2], CVE-2019-13616
Summary: sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-11-26 22:15 CET by David Walser
Modified: 2019-12-06 15:17 CET (History)
5 users (show)

See Also:
Source RPM: sdl2_image-2.0.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments
Condensed summary of POC tests (3.29 KB, text/plain)
2019-11-29 23:29 CET, Len Lawrence
Details

Description David Walser 2019-11-26 22:15:06 CET
openSUSE has issued an advisory on September 5:
https://lists.opensuse.org/opensuse-updates/2019-09/msg00027.html

The issues are fixed upstream in 2.0.5.
David Walser 2019-11-26 22:15:14 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=25766

Comment 1 David GEIGER 2019-11-27 06:56:57 CET
Done!
Comment 2 David Walser 2019-11-27 18:29:22 CET
Advisory:
========================

Updated sdl2_image packages fix security vulnerabilities:

An exploitable heap-based buffer overflow vulnerability exists when loading a
PCX file in SDL2_image, version 2.0.4. A missing error handler can lead to a
buffer overflow and potential code execution. An attacker can provide a
specially crafted image file to trigger this vulnerability. (CVE-2019-5051)

An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4. A specially crafted file can cause an integer overflow, resulting in too little memory being allocated, which can lead to a buffer overflow and potential code execution. (CVE-2019-5052)

An exploitable code execution vulnerability exists in the PCX image-rendering
functionality of SDL2_image 2.0.4. A specially crafted PCX image can cause a
heap overflow, resulting in code execution. An attacker can display a specially
crafted image to trigger this vulnerability. (CVE-2019-5057)

An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4. A specially crafted XCF image can cause a heap overflow, resulting in code execution. (CVE-2019-5058)

An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow, allocating too small of a buffer. This buffer can then be written out of bounds resulting in a heap overflow, ultimately ending in code execution. (CVE-2019-5059)

An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow in the colorhash function, allocating too small of a buffer. This buffer can then be written out of bounds, resulting in a heap overflow, ultimately ending in code execution. (CVE-2019-5060)

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c. (CVE-2019-12217)

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c. (CVE-2019-12218)

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c. (CVE-2019-12219)

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c. (CVE-2019-12220)

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a SEGV in the SDL function SDL_free_REAL at stdlib/SDL_malloc.c. (CVE-2019-12221)

An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9. There is an out-of-bounds read in the function SDL_InvalidateMap at video/SDL_pixels.c. (CVE-2019-12222)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. (CVE-2019-13616)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5059
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5060
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616
https://lists.opensuse.org/opensuse-updates/2019-09/msg00027.html
========================

Updated packages in core/updates_testing:
========================
libsdl2_image2.0_0-2.0.5-1.mga7
libsdl2_image-devel-2.0.5-1.mga7
libsdl2_image-static-devel-2.0.5-1.mga7
libsdl2_image2.0_0-test-2.0.5-1.mga7

from sdl2_image-2.0.5-1.mga7.src.rpm

Summary: sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[78], CVE-2019-1222[0-2], CVE-2019-13616 => sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[7-9], CVE-2019-1222[0-2], CVE-2019-13616
Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Comment 3 Len Lawrence 2019-11-29 21:05:42 CET
Mageia7, x86_64

Just a note to prevent duplication of effort.

Starting to test this.  Downloading POC where there are any.  Testing those before and after in the usual fashion.  The results will be attached.
For CVE-2019-12217 have already caused a segfault which we hope shall vanish after updating.

Shall test the package by playing neverball and some of the other games listed by  Rémi in bug 22769.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-11-29 23:29:01 CET
Created attachment 11382 [details]
Condensed summary of POC tests

These tests do not cover all of the CVEs listed against this bug.
The outcome is good.
Comment 5 Len Lawrence 2019-11-30 00:47:31 CET
Continuation from comment 3.

Installed and updated sdl2 packages after running the POC tests which worked  fine.

Installed these:
blobwars *
cavepacker *
flare-engine *
neverball *
mirrormagic
redeclipse *
rocksndiamonds
starfighter *
trackballs *
wesnoth *
widelands

and had a go with all those with an asterisk.  No problems launching except trackballs.
$ trackballs
Welcome to Trackballs.
Using /usr/share/games/trackballs as gamedata directory.
X Error of failed request:  GLXBadDrawable
  Major opcode of failed request:  150 (GLX)
  Minor opcode of failed request:  5 (X_GLXMakeCurrent)
  Serial number of failed request:  272
  Current serial number in output stream:  272

That might have something to do with the graphics card - Nvidia GeForce GTX970.
GL problems sometimes occur with glmark2 for instance then go away.

Generally speaking, the games launch and play fine so I think this update deserves an OK.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Len Lawrence 2019-11-30 00:52:08 CET
Just checked glmark2 on this partition and it also failed:
X Error of failed request:  GLXBadContext
  Major opcode of failed request:  150 (GLX)

Noting that with a change of kernel or on another partition this might not happen so that should help exonerate SDL2.
Comment 7 Thomas Andrews 2019-12-04 01:12:35 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 13:26:19 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2019-12-06 15:17:27 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0364.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.