| Summary: | sdl2 new security issues CVE-2019-757[2-8], CVE-2019-763[5-8], and CVE-2019-13616 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, marja11, sysadmin-bugs, tarazed25, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6TOO MGA6-64-OK MGA7-64-OK | ||
| Source RPM: | sdl2-2.0.9-1.mga7, mingw-SDL2-2.0.9-1.mga7 | CVE: | |
| Status comment: | |||
| Attachments: | Failed attempt at compiling testsprite.c. | ||
|
Description
David Walser
2019-03-12 15:37:28 CET
David Walser
2019-03-12 15:37:42 CET
Source RPM:
sdl2-2.0.9-1.mga7.src =>
sdl2-2.0.9-1.mga7.src.rpm Assigning to our registered sdl2 maintainer. CC:
(none) =>
marja11
Rémi Verschelde
2019-03-16 20:48:47 CET
Source RPM:
sdl2-2.0.9-1.mga7.src.rpm =>
sdl2-2.0.9-1.mga7.src.rpm, mingw-sdl2 I backported the fixes for SDL 1.2 in bug 24496. I'll wait for now with SDL2 as most of the patches haven't been accepted/merged upstream yet, and Fedora hasn't tried to cherry-pick them either. Upstream is usually relatively quick to respond to security vulnerabilities, so it might be worth waiting for 2.0.10 fixing those. SUSE has issued an advisory for this on April 15: http://lists.suse.com/pipermail/sle-security-updates/2019-April/005337.html
David Walser
2019-06-23 19:20:31 CEST
Whiteboard:
MGA6TOO =>
MGA7TOO, MGA6TOO For the reference, still waiting for 2.0.10 which should be right around the corner: https://discourse.libsdl.org/t/sdl-2-0-10-prerelease/26300 Cauldron seems fixed with latest 2.0.10 release! So Rémi can you look for mga7 and mga6, please? CC:
(none) =>
geiger.david68210 David pointed out to me that 2.0.10 also fixes CVE-2019-13616: https://security-tracker.debian.org/tracker/CVE-2019-13616 Version:
Cauldron =>
7
Rémi Verschelde
2019-08-31 12:11:46 CEST
Source RPM:
sdl2-2.0.9-1.mga7.src.rpm, mingw-sdl2 =>
sdl2-2.0.9-1.mga7, mingw-SDL2-2.0.9-1.mga7 Advisory:
=========
Updated sdl2 packages fix security vulnerabilities
This release fixes various buffer overflows when parsing or processing damaged
Waveform audio and BMP image files.
- Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (rhbz#1676754)
- Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (rhbz#1676754)
- Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM)
(rhbz#1676752, rhbz#1676756)
- Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (rhbz#1676750)
- Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (rhbz#1676744)
- Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (rhbz#1676510)
- Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (rhbz#1676782)
- Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
colors out the palette) (rhbz#1677159)
- Fix CVE-2019-7636, CVE-2019-7638 (buffer overflows when processing BMP
images with too high number of colors) (rhbz#1677144, rhbz#1677157)
- Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (rhbz#1677152)
- Reject 2, 3, 5, 6, 7-bpp BMP images (rhbz#1677159)
- Fix CVE-2010-13616 (heap-based buffer over-read in BlitNtoN in
video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c)
The 2.0.10 release also provides various features and bug fixes.
References:
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/
- https://security-tracker.debian.org/tracker/CVE-2019-13616
- https://hg.libsdl.org/SDL/file/bc90ce38f1e2/WhatsNew.txt
RPMs in 6 & 7 core/updates_testing:
===================================
lib64sdl2.0_0-2.0.10-1.mga[67]
lib64sdl2.0-devel-2.0.10-1.mga[67]
lib64sdl2.0-static-devel-2.0.10-1.mga[67]
sdl2-docs-2.0.10-1.mga[67]
mingw32-SDL2-2.0.10-1.mga[67]
mingw32-SDL2-static-2.0.10-1.mga[67]
mingw64-SDL2-2.0.10-1.mga[67]
mingw64-SDL2-static-2.0.10-1.mga[67]
SRPMs in 6 & 7 core/updates_testing:
====================================
sdl2-2.0.10-1.mga6
mingw-SDL2-2.0.10-1.mga6
sdl2-2.0.10-1.mga7
mingw-SDL2-2.0.10-1.mga7Assignee:
rverschelde =>
qa-bugs This is another one where the ASAN POC files need certain test utilities, like testsprite. CC:
(none) =>
tarazed25 Created attachment 11268 [details]
Failed attempt at compiling testsprite.c.
I'm guessing that version of testsprite is for SDL 1.2. Quite right David. I had just seen that. The RedHat link leads to discussions covering versions 1.2 onwards, centring on audio/SDL_wave.c. Found the source for loopwave.c at https://android.googlesource.com/platform/external/qemu/+/android-4.2.2_r1.2/distrib/sdl-1.2.15/test/loopwave.c It needed a little editing before compiling. $ gcc -o loopwave -I/usr/include/SDL2 -lSDL2 loopwave.c loopwave.c: In function ‘main’: loopwave.c:88:60: warning: passing argument 1 of ‘SDL_GetAudioDeviceName’ makes integer from pointer without a cast [-Wint-conversion] printf("Using audio driver: %s\n", SDL_GetAudioDeviceName(name, 32)); ^~~~ In file included from /usr/include/SDL2/SDL.h:36, from loopwave.c:12: /usr/include/SDL2/SDL_audio.h:359:37: note: expected ‘int’ but argument is of type ‘char *’ extern DECLSPEC const char *SDLCALL SDL_GetAudioDeviceName(int index, ^~~~~~~~~~~~~~~~~~~~~~ Despite these errors it produced a viable binary file. Not entirely confident about the API here after seeing the troubles with testsprite.c. Duh! Just noticed that the link specifically indicates sdl-1.2.15, so cancelling all the POC tests, which involved loopwave, testsprite and graywin. Four hours work down the drain. mga7, x86_64 Ignoring the POC because the test programs are not readily available for SDL2. Updated all the packages. The libraries are required by a considerable number of games and utilities such as mpv. Running strace while playing audio and video tracks with mpv shows that libSDL2-2.0 is opened successfully. Installing neverball pulled in lib64sdl2_ttf2.0_0 which was heavily used during play. Game working fine. $ strace -o trace fallingtime SDL initialisation succeeded SDL_CreateWindow succeeded SDL_CreateRenderer succeeded Mix_OpenAudio succeeded TTF_Init succeeded The trace showed several SDL2 libraries being used. Started blender and carried out a few primitive operations. SDL2 library was opened. It looks like everything is OK for 64bits. Whiteboard:
MGA6TOO =>
MGA6TOO MGA7-64-OK mga6, x86_64 Updated the packages. $ urpmq --whatrequires mingw64-SDL2 | sort -u mingw64-SDL2 mingw64-SDL2_image mingw64-SDL2_mixer mingw64-SDL2_net mingw64-SDL2-static Most of the mingw programs under /bin look like programming tools so we shall skip those. pinball and neverball work fine. Played music and video tracks with mpv. blender opens and responds to 'links'. Recover Last Session indicates that there was none - correct. Blender Render shows a 3D cube, which can be manipulated. Tried duplication, moving and rotation. Working fine. OK for 64bits. Whiteboard:
MGA6TOO MGA7-64-OK =>
MGA6TOO MGA6-64-OK MGA7-64-OK Validating this. Advisory in comment 8 - needs to be pushed to SVN. My SSH setup does not allow me to do it.
Thomas Andrews
2019-09-05 04:52:04 CEST
Keywords:
(none) =>
validated_update (In reply to Len Lawrence from comment #15) > Validating this. Advisory in comment 8 - needs to be pushed to SVN. My SSH > setup does not allow me to do it. Len, the update validation is not complete until you put "validated_update" in the Keywords box. For backports, ""validated_backport" is used.
Thomas Backlund
2019-09-06 17:59:26 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0239.html Resolution:
(none) =>
FIXED This also fixed CVE-2019-13626: https://lists.opensuse.org/opensuse-updates/2019-09/msg00182.html |