Bug#932754: libsdl2-image: multiple security issues

Hugo Lefeuvre hle at debian.org
Mon Jul 22 19:40:17 BST 2019


Source: libsdl2-image
Version: 2.0.4+dfsg1-1
Severity: important
Tags: security upstream

Hi,

the following security issues[0] were published for libsdl2-image:

* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.

* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.

* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).

* CVE-2019-12216, CVE-2019-12217,
  CVE-2019-12218, CVE-2019-12219,
  CVE-2019-12220, CVE-2019-12221,
  CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).

Fixing these issues:

Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").

I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.

If the security team agrees, I will provide targeted fixes for buster and
stretch.

For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.

regards,
Hugo

[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-sdl-maintainers/attachments/20190722/df527153/attachment.sig>


More information about the Pkg-sdl-maintainers mailing list