Ubuntu
sdl-image1.2 package

Buffer overflow in GIF and IFF ILBM handling

Bug #185782 reported by Mark Taylor
264
Affects Status Importance Assigned to Milestone
sdl-image1.2 (Ubuntu)
Fix Released
Medium
StefanPotyra
Dapper
Fix Released
Medium
Kees Cook
Edgy
Fix Released
Medium
Kees Cook
Feisty
Fix Released
Medium
Kees Cook
Gutsy
Fix Released
Medium
Kees Cook
Hardy
Fix Released
Medium
StefanPotyra

Bug Description

There's a buffer overflow in IMG_gif.c in SDL_Image 1.2.6 and earlier, as described in this Bugtraq posting: <http://www.securityfocus.com/archive/1/486853/30/30/threaded>

The flaw could possibly cause remote execution of arbitrary code and was solved in upstream version 1.2.7.

Revision history for this message
Mark Taylor (skymt0) wrote :

I backported the fix to the current Gutsy version of sdl-image. A (tiny) patch is attached.

Revision history for this message
StefanPotyra (sistpoty) wrote :

Hi,

this is fixed in hardy already, however not yet in gutsy (hence leaving the bug report open).

Cheers,
    Stefan.

Revision history for this message
StefanPotyra (sistpoty) wrote :

marking as confirmed (should I set s.th. to gutsy here?)

Changed in sdl-image1.2:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

References:
 DSA-1493-1 (http://www.debian.org/security/2008/dsa-1493)
Quoting:
 "Several local/remote vulnerabilities have been discovered in the image
 loading library for the Simple DirectMedia Layer 1.2. The Common
 Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-6697
    Gynvael Coldwind discovered a buffer overflow in GIF image parsing,
     which could result in denial of service and potentially the
     execution of arbitrary code.
CVE-2008-0544
    It was discovered that a buffer overflow in IFF ILBM image parsing
     could result in denial of service and potentially the execution of
     arbitrary code."

Andreas Wenning (andreas-wenning)
Changed in sdl-image1.2:
assignee: nobody → andreas-wenning
status: Confirmed → In Progress
Revision history for this message
Andreas Wenning (andreas-wenning) wrote :

I've prepared a debdiff from the patches used in debian.

From the changelog:
  * SECURITY UPDATE: Buffer owerflow in GIF handling; possible
    denial of service and arbitrary code execution.
  * SECURITY UPDATE: Buffer owerflow in IFF ILBM handling; possible
    denial of service and arbitrary code execution.
  * Added patches to prevent buffer owerflow in IMG_gif.c and IMG_lbm.c.
    Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian.
    Applied inline. (Fixes LP: #185782)
  * References:
    http://www.debian.org/security/2008/dsa-1493
    CVE-2007-6697 and CVE-2008-0544

Andreas Wenning (andreas-wenning)
Changed in sdl-image1.2:
assignee: andreas-wenning → nobody
status: In Progress → Confirmed
Kees Cook (kees)
Changed in sdl-image1.2:
assignee: nobody → keescook
status: Confirmed → In Progress
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the debdiff. I've applied the changes to dapper through feisty as well, and created a qa-regression-testing script to check for the GIF CVE (which had a reproducer). These are building and should be published shortly.

Changed in sdl-image1.2:
assignee: keescook → sistpoty
status: In Progress → Fix Released
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sdl-image1.2 - 1.2.5-3ubuntu0.1

---------------
sdl-image1.2 (1.2.5-3ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in GIF handling; possible
    denial of service and arbitrary code execution.
  * SECURITY UPDATE: Buffer overflow in IFF ILBM handling; possible
    denial of service and arbitrary code execution.
  * Added patches to prevent buffer overflow in IMG_gif.c and IMG_lbm.c.
    Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian.
    Applied inline. (LP: #185782)
  * References:
    http://www.debian.org/security/2008/dsa-1493
    CVE-2007-6697 and CVE-2008-0544

 -- Andreas Wenning <email address hidden> Mon, 18 Feb 2008 22:21:55 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sdl-image1.2 - 1.2.5-2ubuntu0.7.04.1

---------------
sdl-image1.2 (1.2.5-2ubuntu0.7.04.1) feisty-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in GIF handling; possible
    denial of service and arbitrary code execution.
  * SECURITY UPDATE: Buffer overflow in IFF ILBM handling; possible
    denial of service and arbitrary code execution.
  * Added patches to prevent buffer overflow in IMG_gif.c and IMG_lbm.c.
    Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian.
    Applied inline. (LP: #185782)
  * References:
    http://www.debian.org/security/2008/dsa-1493
    CVE-2007-6697 and CVE-2008-0544

 -- Andreas Wenning <email address hidden> Mon, 18 Feb 2008 22:21:55 +0100

Changed in sdl-image1.2:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Released as: http://www.ubuntu.com/usn/usn-595-1

Changed in sdl-image1.2:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.