Bug 1500623 (CVE-2017-2888)
| Summary: | CVE-2017-2888 SDL: Integer overflow while creating a new RGB surface | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | |||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | unspecified | CC: | carnil, dchen, erik-fedora, ignatenko, klember, ppisar, rjones, tcallawa, twoerner, wtaymans | ||||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-10-20 09:57:08 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1500624, 1500625, 1500734, 1500735 | ||||||||
| Bug Blocks: | 1500626 | ||||||||
| Attachments: |
|
||||||||
|
Description
Andrej Nemec
2017-10-11 08:31:24 UTC
Created SDL tracking bugs for this issue: Affects: fedora-all [bug 1500624] Created mingw-SDL tracking bugs for this issue: Affects: fedora-all [bug 1500625] This appears to be the patch: http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 PLEASE NOTE: Simply applying the patch will not work with F26, as the compiler appears to optimize the check away. Set the "-fno-strict-overflow" compiler flag to prevent this. Created SDL2 tracking bugs for this issue: Affects: epel-7 [bug 1500735] Affects: fedora-all [bug 1500734] SDL1 has the following check and should not be vulnerable:
> /* Make sure the size requested doesn't overflow our datatypes */
> /* Next time I write a library like SDL, I'll use int for size. :) */
> if ( width >= 16384 || height >= 65536 ) {
> SDL_SetError("Width or height is too large");
> return(NULL);
> }
(In reply to Stefan Cornelius from comment #2) > This appears to be the patch: > http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 > > PLEASE NOTE: Simply applying the patch will not work with F26, as the > compiler appears to optimize the check away. Set the "-fno-strict-overflow" > compiler flag to prevent this. Ugh, is there some better way of doing this? Created attachment 1337656 [details]
Ugly patch based on secure coding guide
This is an ugly patch (the new functions and includes should probably have their own header etc) roughly based on what the CERT Secure Coding Guide recommends. Should work with most compilers, though.
Not extensively tested, so no guarantees that this is indeed correct.
Created attachment 1337658 [details]
Patch using a builtin compiler function
This one uses a builtin compiler function - gcc and llvm should support this, not sure about other compilers, though.
Not extensively tested, so no guarantees that this is indeed correct.
Statement: This issue did not affect the versions of SDL as shipped with Red Hat Enterprise Linux 5, 6, and 7. (In reply to Stefan Cornelius from comment #9) > Statement: > > This issue did not affect the versions of SDL as shipped with Red Hat > Enterprise Linux 5, 6, and 7. Why would I care about those distributions when I'm working on Fedora? (In reply to Salvatore Bonaccorso from comment #10) > See: https://hg.libsdl.org/SDL/rev/81a4950907a0 Thanks a lot! Applied and building. |