Your message dated Thu, 08 Aug 2019 13:53:18 +0000
with message-id <[email protected]>
and subject line Bug#932755: fixed in sdl-image1.2 1.2.12-11
has caused the Debian Bug report #932755,
regarding sdl-image1.2: multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
932755: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sdl-image1.2
Version: 1.2.12-10
Severity: important
Tags: security upstream
Hi,
the following security issues[0] were published for sdl-image1.2:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-12222: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Fixing these issues:
Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").
I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.
If the security team agrees, I will provide targeted fixes for buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/sdl-image1.2
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: sdl-image1.2
Source-Version: 1.2.12-11
We believe that the bug you reported is fixed in the latest version of
sdl-image1.2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hugo Lefeuvre <[email protected]> (supplier of updated sdl-image1.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jul 2019 20:30:03 -0300
Source: sdl-image1.2
Architecture: source
Version: 1.2.12-11
Distribution: unstable
Urgency: medium
Maintainer: Debian SDL packages maintainers
<[email protected]>
Changed-By: Hugo Lefeuvre <[email protected]>
Closes: 932755
Changes:
sdl-image1.2 (1.2.12-11) unstable; urgency=medium
.
* Non-maintainer upload with permission of maintainers.
* Multiple security fixes (Closes: #932755):
- CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c).
- CVE-2019-5052: integer overflow and subsequent buffer overflow in
IMG_pcx.c.
- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
- CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-12222, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Checksums-Sha1:
4e4be93248b44fb9f8fd8ff4b2cac59e93d3d141 2056 sdl-image1.2_1.2.12-11.dsc
e10fbc678c098f8606fbdcd1099203cb97fa020c 12576
sdl-image1.2_1.2.12-11.debian.tar.xz
61c6557b202651784041eba012ff5b8e2404fd9e 10619
sdl-image1.2_1.2.12-11_amd64.buildinfo
Checksums-Sha256:
50e31b27c70018b68ca2f96e0eac715dc4219f54abd57d2223b633f08bb6b2bb 2056
sdl-image1.2_1.2.12-11.dsc
5dc284425daac9142e5925c15544c3be52b5e299572d1c2fdacfd83d139a056e 12576
sdl-image1.2_1.2.12-11.debian.tar.xz
c160056e682ff3d12059ac4916c6e05234f265f99d2b9a9a211ee04289a38683 10619
sdl-image1.2_1.2.12-11_amd64.buildinfo
Files:
61d23b3e26f9fa036144d57efc82558f 2056 libs optional sdl-image1.2_1.2.12-11.dsc
32f98cdc26b16915ad1c3eaf476a046d 12576 libs optional
sdl-image1.2_1.2.12-11.debian.tar.xz
39b93b9cdcd52facc68e7a50186c49dd 10619 libs optional
sdl-image1.2_1.2.12-11_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHDBAEBCgAtFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl1MJUgPHGhsZUBkZWJp
YW4ub3JnAAoJEBHjBY5eRBpCGAQL/18FvtQ4PBza17AwYyzDCabkMJ0T7n7WikB7
Gdf6ud7WRkXFYaM7kmRZYvs271hW7SdwkICakgwUwuVsoMTh4nmBqk+kqgUlKDYx
og2ohQO5Nwg2gmzkN+yAEH6yX5LyE7rlh6ceLt2WApR9O/gOUM3iCkUFlOpJz0Ml
U95QI4U7NuenMTsQy7KNOXtgyK7pNUUODq8J4xl73OBXLlME1UsNt4SA38kF/eqU
Zi4dfPXrYASHggBO8Mmtc2KISiPUCBWyAL/Lc2SY3/lDFoRTcdkt2ObXniqK3IYU
/2WdMBtp4UyDrc9QkOKhsJcvS+UmNSJPMmvqkzLvwmUA9hGqhOkK9id0sdboARwm
x7UpquEIw2FD1TrKjxbQxaJ7aU9syOSoO5NDBcdTPYDfHj+XX6h6/Tj9fjexceGj
jmLGwVrLQyl6AGt2AENjK9vlUcHAUcLPwvHlGCxsXrcZja8Ra+T6FvPLuEKjYjqO
DHyyChBoBwIVRfJEZdHkkE+A+VuVcA==
=QlHU
-----END PGP SIGNATURE-----
--- End Message ---
