openSUSE has issued an advisory on September 5: https://lists.opensuse.org/opensuse-updates/2019-09/msg00027.html The issues are fixed upstream in 2.0.5.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=25766
Done!
Advisory: ======================== Updated sdl2_image packages fix security vulnerabilities: An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. (CVE-2019-5051) An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4. A specially crafted file can cause an integer overflow, resulting in too little memory being allocated, which can lead to a buffer overflow and potential code execution. (CVE-2019-5052) An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_image 2.0.4. A specially crafted PCX image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2019-5057) An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4. A specially crafted XCF image can cause a heap overflow, resulting in code execution. (CVE-2019-5058) An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow, allocating too small of a buffer. This buffer can then be written out of bounds resulting in a heap overflow, ultimately ending in code execution. (CVE-2019-5059) An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow in the colorhash function, allocating too small of a buffer. This buffer can then be written out of bounds, resulting in a heap overflow, ultimately ending in code execution. (CVE-2019-5060) An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c. (CVE-2019-12217) An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c. (CVE-2019-12218) An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an invalid free error in the SDL function SDL_SetError_REAL at SDL_error.c. (CVE-2019-12219) An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c. (CVE-2019-12220) An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a SEGV in the SDL function SDL_free_REAL at stdlib/SDL_malloc.c. (CVE-2019-12221) An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9. There is an out-of-bounds read in the function SDL_InvalidateMap at video/SDL_pixels.c. (CVE-2019-12222) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. (CVE-2019-13616) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5051 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5052 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5057 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5058 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5059 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5060 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12217 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12218 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12219 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12220 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616 https://lists.opensuse.org/opensuse-updates/2019-09/msg00027.html ======================== Updated packages in core/updates_testing: ======================== libsdl2_image2.0_0-2.0.5-1.mga7 libsdl2_image-devel-2.0.5-1.mga7 libsdl2_image-static-devel-2.0.5-1.mga7 libsdl2_image2.0_0-test-2.0.5-1.mga7 from sdl2_image-2.0.5-1.mga7.src.rpm
Summary: sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[78], CVE-2019-1222[0-2], CVE-2019-13616 => sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[7-9], CVE-2019-1222[0-2], CVE-2019-13616Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
Mageia7, x86_64 Just a note to prevent duplication of effort. Starting to test this. Downloading POC where there are any. Testing those before and after in the usual fashion. The results will be attached. For CVE-2019-12217 have already caused a segfault which we hope shall vanish after updating. Shall test the package by playing neverball and some of the other games listed by Rémi in bug 22769.
CC: (none) => tarazed25
Created attachment 11382 [details] Condensed summary of POC tests These tests do not cover all of the CVEs listed against this bug. The outcome is good.
Continuation from comment 3. Installed and updated sdl2 packages after running the POC tests which worked fine. Installed these: blobwars * cavepacker * flare-engine * neverball * mirrormagic redeclipse * rocksndiamonds starfighter * trackballs * wesnoth * widelands and had a go with all those with an asterisk. No problems launching except trackballs. $ trackballs Welcome to Trackballs. Using /usr/share/games/trackballs as gamedata directory. X Error of failed request: GLXBadDrawable Major opcode of failed request: 150 (GLX) Minor opcode of failed request: 5 (X_GLXMakeCurrent) Serial number of failed request: 272 Current serial number in output stream: 272 That might have something to do with the graphics card - Nvidia GeForce GTX970. GL problems sometimes occur with glmark2 for instance then go away. Generally speaking, the games launch and play fine so I think this update deserves an OK.
Whiteboard: (none) => MGA7-64-OK
Just checked glmark2 on this partition and it also failed: X Error of failed request: GLXBadContext Major opcode of failed request: 150 (GLX) Noting that with a change of kernel or on another partition this might not happen so that should help exonerate SDL2.
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0364.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2019-12216 was also fixed by this update: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJ2VRD57UOBT72JUC2DIFHEFCH4N64SW/
Summary: sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[7-9], CVE-2019-1222[0-2], CVE-2019-13616 => sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[6-9], CVE-2019-1222[0-2], CVE-2019-13616