From turutani@scphys.kyoto-u.ac.jp  Wed Apr  2 04:02:34 2008
Return-Path: <turutani@scphys.kyoto-u.ac.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E754C1065674
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  2 Apr 2008 04:02:34 +0000 (UTC)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Received: from proxy2.aams.jp (proxy2.aams.jp [202.189.147.98])
	by mx1.freebsd.org (Postfix) with ESMTP id 999CD8FC25
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  2 Apr 2008 04:02:34 +0000 (UTC)
	(envelope-from turutani@scphys.kyoto-u.ac.jp)
Received: from h120.65.226.10.32118.vlan.kuins.kuins.net (softbank218183189199.bbtec.net [218.183.189.199])
	(authenticated bits=0)
	by proxy2.aams.jp (Switch-3.2.7/Switch-3.1.7) with ESMTP id m3242VeC018710
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 2 Apr 2008 13:02:32 +0900
Received: from h120.65.226.10.32118.vlan.kuins.net (localhost [127.0.0.1])
	by h120.65.226.10.32118.vlan.kuins.kuins.net (8.14.2/8.14.2/20071004-1) with ESMTP id m3242Roo088091;
	Wed, 2 Apr 2008 13:02:27 +0900 (JST)
	(envelope-from turutani@h120.65.226.10.32118.vlan.kuins.net)
Received: (from turutani@localhost)
	by h120.65.226.10.32118.vlan.kuins.net (8.14.2/8.14.2/Submit) id m3242REt088090;
	Wed, 2 Apr 2008 13:02:27 +0900 (JST)
	(envelope-from turutani)
Message-Id: <200804020402.m3242REt088090@h120.65.226.10.32118.vlan.kuins.net>
Date: Wed, 2 Apr 2008 13:02:27 +0900 (JST)
From: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
Reply-To: Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc: turutani@scphys.kyoto-u.ac.jp
Subject: vulnerability on graphics/sdl_image
X-Send-Pr-Version: 3.113
X-GNATS-Notify: mva@sysfault.org

>Number:         122366
>Category:       ports
>Synopsis:       vulnerability on graphics/sdl_image
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    miwi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 02 04:10:02 UTC 2008
>Closed-Date:    Fri May 02 20:07:11 UTC 2008
>Last-Modified:  Fri May  2 20:10:03 UTC 2008
>Originator:     Tsurutani Naoki
>Release:        FreeBSD 6.3-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD h120.65.226.10.32118.vlan.kuins.net 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #11: Wed Jan 16 16:30:07 JST 2008 turutani@polymer3.scphys.kyoto-u.ac.jp:/usr/local/work/usr/obj/usr/src/sys/POLYMER i386


	
>Description:
	http://www.ciac.org/ciac/bulletins/s-163.shtml
	
>How-To-Repeat:
	
>Fix:
	apply patches shown in 
	http://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/CHANGES?view=log
	after releaese of 1.2.6.
	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Wed Apr 2 04:10:09 UTC 2008 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122366 

From: Marcus von Appen <mva@sysfault.org>
To: bug-followup@FreeBSD.org
Cc: turutani@scphys.kyoto-u.ac.jp
Subject: Re: ports/122366: vulnerability on graphics/sdl_image
Date: Wed, 2 Apr 2008 09:40:55 +0200

 --ADZbWkCsHQ7r3kzd
 Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE"
 Content-Disposition: inline
 
 
 --Kj7319i9nmIyA2yE
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Thanks for the report.
 
 A fix for both, the GIF and LBM buffer overflows, is attached.
 
 --Kj7319i9nmIyA2yE
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="sdl_image.diff"
 Content-Transfer-Encoding: quoted-printable
 
 diff -Nur sdl_image/Makefile sdl_image.new/Makefile
 --- sdl_image/Makefile	2008-03-13 15:05:28.000000000 +0100
 +++ sdl_image.new/Makefile	2008-04-02 09:33:06.000000000 +0200
 @@ -7,6 +7,7 @@
 =20
  PORTNAME=3D	sdl_image
  PORTVERSION=3D	1.2.6
 +PORTREVISION=3D	1
  CATEGORIES=3D	graphics
  MASTER_SITES=3D	http://www.libsdl.org/projects/SDL_image/release/
  DISTNAME=3D	SDL_image-${PORTVERSION}
 diff -Nur sdl_image/files/patch-IMG_gif.c sdl_image.new/files/patch-IMG_gif=
 =2Ec
 --- sdl_image/files/patch-IMG_gif.c	1970-01-01 01:00:00.000000000 +0100
 +++ sdl_image.new/files/patch-IMG_gif.c	2008-04-02 09:33:35.000000000 +0200
 @@ -0,0 +1,13 @@
 +--- IMG_gif.c	2007/02/13 10:09:17	2970
 ++++ IMG_gif.c	2007/12/28 16:43:56	3462
 +@@ -418,6 +418,10 @@
 +     static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
 +     register int i;
 +=20
 ++    /* Fixed buffer overflow found by Michael Skladnikiewicz */
 ++    if (input_code_size > MAX_LWZ_BITS)
 ++        return -1;
 ++
 +     if (flag) {
 + 	set_code_size =3D input_code_size;
 + 	code_size =3D set_code_size + 1;
 diff -Nur sdl_image/files/patch-IMG_lbm.c sdl_image.new/files/patch-IMG_lbm=
 =2Ec
 --- sdl_image/files/patch-IMG_lbm.c	1970-01-01 01:00:00.000000000 +0100
 +++ sdl_image.new/files/patch-IMG_lbm.c	2008-04-02 09:33:25.000000000 +0200
 @@ -0,0 +1,28 @@
 +--- IMG_lbm.c	2007/07/20 04:37:11	3341
 ++++ IMG_lbm.c	2008/01/03 20:05:34	3521
 +@@ -28,6 +28,7 @@
 +    EHB and HAM (specific Amiga graphic chip modes) support added by Marc =
 Le Douarain
 +    (http://www.multimania.com/mavati) in December 2003.
 +    Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr)=
  in February 2004.
 ++   Buffer overflow fix in RLE decompression by David Raulo in January 200=
 8.
 + */
 +=20
 + #include <stdio.h>
 +@@ -328,7 +329,7 @@
 + 						count ^=3D 0xFF;
 + 						count +=3D 2; /* now it */
 +=20
 +-						if ( !SDL_RWread( src, &color, 1, 1 ) )
 ++						if ( ( count > remainingbytes ) || !SDL_RWread( src, &color, 1, 1 )=
  )
 + 						{
 + 						   error=3D"error reading BODY chunk";
 + 							goto done;
 +@@ -339,7 +340,7 @@
 + 					{
 + 						++count;
 +=20
 +-						if ( !SDL_RWread( src, ptr, count, 1 ) )
 ++						if ( ( count > remainingbytes ) || !SDL_RWread( src, ptr, count, 1 =
 ) )
 + 						{
 + 						   error=3D"error reading BODY chunk";
 + 							goto done;
 
 
 --Kj7319i9nmIyA2yE--
 
 --ADZbWkCsHQ7r3kzd
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (FreeBSD)
 
 iEYEARECAAYFAkfzOIcACgkQo/JpszXavhxOtACeNGKUEG6gE9q0+gV2NbPrSDmF
 r4cAoI0d+eSCU5Hy6XWN174v6UIw8NXl
 =KHDq
 -----END PGP SIGNATURE-----
 
 --ADZbWkCsHQ7r3kzd--
Responsible-Changed-From-To: freebsd-ports-bugs->miwi 
Responsible-Changed-By: miwi 
Responsible-Changed-When: Wed Apr 2 08:07:42 UTC 2008 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122366 
State-Changed-From-To: feedback->closed 
State-Changed-By: miwi 
State-Changed-When: Fri May 2 20:07:09 UTC 2008 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=122366 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/122366: commit references a PR
Date: Fri,  2 May 2008 20:07:05 +0000 (UTC)

 miwi        2008-05-02 20:06:59 UTC
 
   FreeBSD ports repository
 
   Modified files:
     graphics/sdl_image   Makefile 
   Added files:
     graphics/sdl_image/files patch-IMG_gif.c patch-IMG_lbm.c 
   Log:
   - Fix buffer overflows
   
   PR:             122366
   Submitted by:   Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp>
   Approved by:    maintainer
   Security:       http://www.vuxml.org/freebsd/b1bcab7d-1880-11dd-a914-0016179b2dd5.html
   
   Revision  Changes    Path
   1.35      +1 -0      ports/graphics/sdl_image/Makefile
   1.1       +13 -0     ports/graphics/sdl_image/files/patch-IMG_gif.c (new)
   1.1       +28 -0     ports/graphics/sdl_image/files/patch-IMG_lbm.c (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
