Buffer overflow in GIF and IFF ILBM handling

Bug #185782 reported by Mark Taylor on 2008-01-24
264
Affects Status Importance Assigned to Milestone
sdl-image1.2 (Ubuntu)
Medium
StefanPotyra
Dapper
Medium
Kees Cook
Edgy
Medium
Kees Cook
Feisty
Medium
Kees Cook
Gutsy
Medium
Kees Cook
Hardy
Medium
StefanPotyra

Bug Description

There's a buffer overflow in IMG_gif.c in SDL_Image 1.2.6 and earlier, as described in this Bugtraq posting: <http://www.securityfocus.com/archive/1/486853/30/30/threaded>

The flaw could possibly cause remote execution of arbitrary code and was solved in upstream version 1.2.7.

Mark Taylor (skymt0) wrote :

I backported the fix to the current Gutsy version of sdl-image. A (tiny) patch is attached.

StefanPotyra (sistpoty) wrote :

Hi,

this is fixed in hardy already, however not yet in gutsy (hence leaving the bug report open).

Cheers,
    Stefan.

StefanPotyra (sistpoty) wrote :

marking as confirmed (should I set s.th. to gutsy here?)

Changed in sdl-image1.2:
importance: Undecided → Medium
status: New → Confirmed

References:
 DSA-1493-1 (http://www.debian.org/security/2008/dsa-1493)
Quoting:
 "Several local/remote vulnerabilities have been discovered in the image
 loading library for the Simple DirectMedia Layer 1.2. The Common
 Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-6697
    Gynvael Coldwind discovered a buffer overflow in GIF image parsing,
     which could result in denial of service and potentially the
     execution of arbitrary code.
CVE-2008-0544
    It was discovered that a buffer overflow in IFF ILBM image parsing
     could result in denial of service and potentially the execution of
     arbitrary code."

Changed in sdl-image1.2:
assignee: nobody → andreas-wenning
status: Confirmed → In Progress

I've prepared a debdiff from the patches used in debian.

From the changelog:
  * SECURITY UPDATE: Buffer owerflow in GIF handling; possible
    denial of service and arbitrary code execution.
  * SECURITY UPDATE: Buffer owerflow in IFF ILBM handling; possible
    denial of service and arbitrary code execution.
  * Added patches to prevent buffer owerflow in IMG_gif.c and IMG_lbm.c.
    Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian.
    Applied inline. (Fixes LP: #185782)
  * References:
    http://www.debian.org/security/2008/dsa-1493
    CVE-2007-6697 and CVE-2008-0544

Changed in sdl-image1.2:
assignee: andreas-wenning → nobody
status: In Progress → Confirmed
Kees Cook (kees) on 2008-03-14
Changed in sdl-image1.2:
assignee: nobody → keescook
status: Confirmed → In Progress
Kees Cook (kees) wrote :

Thanks for the debdiff. I've applied the changes to dapper through feisty as well, and created a qa-regression-testing script to check for the GIF CVE (which had a reproducer). These are building and should be published shortly.

Changed in sdl-image1.2:
assignee: keescook → sistpoty
status: In Progress → Fix Released
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sdl-image1.2 - 1.2.5-3ubuntu0.1

---------------
sdl-image1.2 (1.2.5-3ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in GIF handling; possible
    denial of service and arbitrary code execution.
  * SECURITY UPDATE: Buffer overflow in IFF ILBM handling; possible
    denial of service and arbitrary code execution.
  * Added patches to prevent buffer overflow in IMG_gif.c and IMG_lbm.c.
    Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian.
    Applied inline. (LP: #185782)
  * References:
    http://www.debian.org/security/2008/dsa-1493
    CVE-2007-6697 and CVE-2008-0544

 -- Andreas Wenning <email address hidden> Mon, 18 Feb 2008 22:21:55 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sdl-image1.2 - 1.2.5-2ubuntu0.7.04.1

---------------
sdl-image1.2 (1.2.5-2ubuntu0.7.04.1) feisty-security; urgency=low

  * SECURITY UPDATE: Buffer overflow in GIF handling; possible
    denial of service and arbitrary code execution.
  * SECURITY UPDATE: Buffer overflow in IFF ILBM handling; possible
    denial of service and arbitrary code execution.
  * Added patches to prevent buffer overflow in IMG_gif.c and IMG_lbm.c.
    Patches prepared from sdl-image1.2_1.2.5-2etch1 update in debian.
    Applied inline. (LP: #185782)
  * References:
    http://www.debian.org/security/2008/dsa-1493
    CVE-2007-6697 and CVE-2008-0544

 -- Andreas Wenning <email address hidden> Mon, 18 Feb 2008 22:21:55 +0100

Changed in sdl-image1.2:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Kees Cook (kees) wrote :
Changed in sdl-image1.2:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers