| Summary: | SDL12 new security issues CVE-2019-757[2-8] and CVE-2019-763[5-8] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | SDL12-1.2.15-22.mga7.src.rpm, mingw-SDL | CVE: | |
| Status comment: | Patches available from Fedora | ||
|
Description
David Walser
2019-03-12 15:36:17 CET
David Walser
2019-03-12 15:36:30 CET
Status comment:
(none) =>
Patches available from Fedora Assigning to our registered SDL12 maintainer. Assignee:
bugsquad =>
shlomif
Rémi Verschelde
2019-03-16 20:49:24 CET
Source RPM:
SDL12-1.2.15-22.mga7.src.rpm =>
SDL12-1.2.15-22.mga7.src.rpm, mingw-SDL Updated Fedora advisory (update fix for one CVE): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UFYUCO6D5APPM7IOZ5WOCYVY4DKSXFKD/
Rémi Verschelde
2019-03-29 11:10:52 CET
Assignee:
shlomif =>
rverschelde Fixed in Cauldron with SDL12-1.2.15-23.mga7 and mingw-SDL-1.2.15-10.mga7.
Update candidate for Mageia 6 below:
Advisory:
=========
This release fixes various buffer overflows when parsing or processing damaged
Waveform audio and BMP image files.
- Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (rhbz#1676510)
- Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (rhbz#1676744)
- Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (rhbz#1676750)
- Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (rhbz#1676754)
- Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (rhbz#1676754)
- Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM)
(rhbz#1676752, rhbz#1676756)
- Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (rhbz#1676782)
- Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP images
with too high number of colors) (rhbz#1677144, rhbz#1677157)
- Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (rhbz#1677152)
- Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
colors out the palette) (rhbz#1677159)
- Reject 2, 3, 5, 6, 7-bpp BMP images (rhbz#1677159)
References:
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/
RPMs in core/updates_testing:
=============================
lib64SDL1.2_0-1.2.15-19.1.mga6
lib64SDL-devel-1.2.15-19.1.mga6
lib64SDL-static-devel-1.2.15-19.1.mga6
mingw32-SDL-1.2.15-8.1.mga6
mingw64-SDL-1.2.15-8.1.mga6
SRPMs in core/updates_testing:
==============================
SDL12-1.2.15-19.1.mga6
mingw-SDL-1.2.15-8.1.mga6Assignee:
rverschelde =>
qa-bugs MGA6-32 MATE on IBM Thinpad R50e No installation issues I do not have specfic HW as per bug 11800, however there are a lot of dependencies on libSDL1.2_0 listed as result of # urpmq --whatrequires libSDL1.2_0 I picked pinball and run $ strace -o libSDL.txt pinball and loaded a the tux table and launched a ball. checked the trace file and found ref to libSDL-1.2.so.0 Good for me. Whiteboard:
(none) =>
MGA6-32-OK Following Herman's lead, I installed pinball and played a game, then installed the lib64SDL update and played some more. I tried the Gnu and Professor tables, got a higher score with each game. Good fun - reminded me of the pinball games I played back in my Atari 8-bit/ST days. No installation issues, no regressions noted. OKing for 64-bit and validating. Suggested advisory in Comment 3. Whiteboard:
MGA6-32-OK =>
MGA6-32-OK MGA6-64-OK
Dave Hodgins
2019-04-04 15:17:19 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0127.html Resolution:
(none) =>
FIXED |