Bug 25387

Summary: SDL12 new security issue CVE-2019-13616
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, sysadmin-bugs, tarazed25, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Source RPM: SDL12-1.2.15-23.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-08-31 03:15:20 CEST 
A security issue has been fixed upstream in SDL 1.2:
https://security-tracker.debian.org/tracker/CVE-2019-13616

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-08-31 03:15:27 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 David GEIGER 2019-08-31 06:57:43 CEST 
Done for Cauldron, mga7 and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-08-31 15:22:52 CEST 
Advisory:
========================

Updated SDL12 packages fix security vulnerability:

SDL (Simple DirectMedia Layer) through 1.2.15 has a heap-based buffer over-read
in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in
video/SDL_blit.c (CVE-2019-13616).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13616
https://security-tracker.debian.org/tracker/CVE-2019-13616
========================

Updated packages in core/updates_testing:
========================
libSDL1.2_0-1.2.15-19.2.mga6
libSDL-devel-1.2.15-19.2.mga6
libSDL-static-devel-1.2.15-19.2.mga6
libSDL1.2_0-1.2.15-23.1.mga7
libSDL-devel-1.2.15-23.1.mga7
libSDL-static-devel-1.2.15-23.1.mga7

from SRPMS:
SDL12-1.2.15-19.2.mga6.src.rpm
SDL12-1.2.15-23.1.mga7.src.rpm

Version: Cauldron => 7
Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 3 Len Lawrence 2019-08-31 20:50:57 CEST 
mga7, x86_64

CVE-2019-13616
https://bugzilla.libsdl.org/show_bug.cgi?id=4538

There is a POC file for CVE-2019-13616, icon.bmp.
However, it needs to be run with testsprite, which does not exist in the RPMs, nor in any package upstream.  There are references to the SDL test programs, which must exist because there is chatter about compiling difficulties for testsprite.c.

Going on to try some of the 186 packages which could use libSDL.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2019-08-31 22:02:05 CEST 
package smpeg-player:
/usr/share/doc/smpeg-player/README
plaympeg, gtv, glmovie

$ strace -o trace plaympeg Habanera.mp3
Habanera.mp3: MPEG audio stream
	Audio MPEG-1 Layer 3 128kbit/s 44100Hz stereo
	Size: 4959086
	Total time: 309.942875
$ grep -i sdl trace
openat(AT_FDCWD, "/lib64/libSDL-1.2.so.0", O_RDONLY|O_CLOEXEC) = 3
$ gtv LongLankin.mp3
This launched a gui with play|pause|stop|loop buttons.
Plays fine, with a progress bar and an strace shows that libSDL-1.2 is opened.
$ glmovie NEAR_Descent.mpg 
Segmentation fault (core dumped)
There may be something wrong with this simulation video.  vlc can play it but registers a stack of "Invalid frame dimensions..." messages.
$ glmovie FoylesWar.mpg
That one raises a viewing window for a split second then dies.  No core dump.

The man pages note that these tools are a work in progress so glmovie may simply be too sensitive to errors.
$ glmovie /data/images/hamal/Eros/erosflyby.mpg
[xcb] Unknown sequence number while processing reply
[xcb] Most likely this is a multi-threaded client and XInitThreads has not been called
[xcb] Aborting, sorry about that.
glmovie: xcb_io.c:643: _XReply: Assertion `!xcb_xlib_threads_sequence_lost' failed.
Aborted (core dumped)

Installed beret and had a look at the game.  Seems to be working, including theme music.  strace shows various SDL1.2 libraries being accessed.

This is probably enough to pass this package.

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 5 Len Lawrence 2019-09-03 19:07:53 CEST 
mga6, x86_64

Clean update for the three packages.

Used plaympeg to play MP3 tracks from the cli.

Selected MP3 tracks to play using gtv - exercized play, pause, stop and loop.

No success at all with glmovie.
Tried many different MPG files and hit this error every time:
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
glmovie: Couldn't set 640x480 GL video mode: Couldn't find matching GLX visual

This worked - no audio track in the file:
$ plaympeg /data/images/Eros/erosflyby.mpg
erosflyby.mpg: MPEG video stream
	Video 320x240 resolution
	Size: 2325359
	Total time: 48.000000

This did not:
$ plaympeg /data/qa/sdl12/FoylesWar.mpg
FoylesWar.mpg: MPEG audio stream
	Audio MPEG-1 Layer 1 128kbit/s 22050Hz stereo
	Size: 1521593604
	Total time: 95099.600250

Note the absurd timespan.

Played frozen-bubble under strace and found numerous references to libSDL-1.2.
Tried the introduction to chroma.  An strace found libSDL1.2.

So, apart from plaympeg everything appears to work.  Good for 64bits.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 6 Thomas Andrews 2019-09-05 14:18:24 CEST 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-06 18:38:10 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2019-09-06 23:11:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0254.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED