Bug 45620 - sdl-image1.2: Multiple issues (4.2)
sdl-image1.2: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
https://security-tracker.debian.org/t...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-30 19:17 CET by Arvid Requate
Modified: 2018-05-08 14:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-10-30 19:17:10 CET
Upstream Debian package version 1.2.12-2+deb7u1 fixes:

* An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability. (CVE-2017-2887)
Comment 1 Philipp Hahn univentionstaff 2018-01-25 11:16:30 CET
No patch for Debian-Jessie:
[jessie] - libsdl2-image <no-dsa> (Minor issue)
Comment 2 Philipp Hahn univentionstaff 2018-01-25 17:05:52 CET
r17991 | Bug #45620: sdl-image1.2

Package: sdl-image1.2
Version: 1.2.12-5A~4.2.0.201801251702
Branch: ucs_4.2-0
Scope: errata4.2-3

4c9b6dedfa Bug #45620: sdl-image1.2
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:57:42 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/sdl-image1.2_1.2.12-5.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/sdl-image1.2_1.2.12-5A~4.2.0.201801251702.dsc
@@ -1,3 +1,8 @@
+1.2.12-5A~4.2.0.201801251702 [Thu, 25 Jan 2018 17:02:51 +0100] Univention builddaemon <buildd@univention.de>:
+
+  * UCS auto build. The following patches have been applied to the original source package
+    10_CVE-2017-2887
+
 1.2.12-5 [Sun, 01 Sep 2013 13:03:02 +0200] Felix Geyer <fgeyer@debian.org>:
 
   * Really regenerate autoconf files. The upstream autogen.sh doesn't
Comment 4 Philipp Hahn univentionstaff 2018-05-04 17:26:34 CEST
[4.2-3] 4bb8f0e8a9 Bug #45620: sdl-image1.2 1.2.12-5+deb8u1
 doc/errata/staging/sdl-image1.2.yaml | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
Comment 5 Quality Assurance univentionstaff 2018-05-04 17:27:20 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/sdl-image1.2_1.2.12-5.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/sdl-image1.2_1.2.12-5+deb8u1.dsc
@@ -1,3 +1,17 @@
+1.2.12-5+deb8u1 [Sun, 15 Apr 2018 17:54:58 +0200] Felix Geyer <fgeyer@debian.org>:
+
+  * Backport various security fixes:
+    - CVE-2017-2887
+    - CVE-2017-12122
+    - CVE-2017-14440
+    - CVE-2017-14441
+    - CVE-2017-14442
+    - CVE-2017-14448
+    - CVE-2017-14450
+    - CVE-2018-3837
+    - CVE-2018-3838
+    - CVE-2018-3839
+
 1.2.12-5 [Sun, 01 Sep 2013 13:03:02 +0200] Felix Geyer <fgeyer@debian.org>:
 
   * Really regenerate autoconf files. The upstream autogen.sh doesn't
Comment 6 Arvid Requate univentionstaff 2018-05-07 21:51:19 CEST
* No UCS specific patches
* r17991 - 4.2-0-0-ucs/1.2.12-5-errata4.2-3/10_CVE-2017-2887.quilt
  obsoleted by import of upstream version 1.2.12-5+deb8u1* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory adjusted:
  09946d18cd | Sort CVEs
Comment 7 Arvid Requate univentionstaff 2018-05-08 14:56:37 CEST
<http://errata.software-univention.de/ucs/4.2/399.html>