| Summary: | sdl2, SDL12 new security issue CVE-2021-33657 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | sdl2-2.0.14-1.mga8.src.rpm, SDL12-1.2.15-26.mga8.src.rpm | CVE: | CVE-2021-33657 |
| Status comment: | |||
| Bug Depends on: | 30786 | ||
| Bug Blocks: | |||
|
Description
David Walser
2022-04-15 20:33:53 CEST
David Walser
2022-04-15 20:34:21 CEST
Status comment:
(none) =>
Fixed upstream in 2.0.20 openSUSE has issued an advisory for this on April 14: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/ So we should be able to find their SDL12 fix on build.opensuse.org as well. sdl2 is with akien; SDL12 is parentless, and I cannot see who has maintined it for M8 - it is not visible in Cauldron. So assigning this to RĂ©mi. Assignee:
bugsquad =>
rverschelde Ubuntu has issued an advisory for this on April 28: https://ubuntu.com/security/notices/USN-5398-1
David Walser
2022-08-29 23:59:48 CEST
Depends on:
(none) =>
30786 Suggested advisory: ======================== The updated packages fix a security vulnerability: There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution. (CVE-2021-33657) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33657 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/ https://ubuntu.com/security/notices/USN-5398-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)sdl2.0_0-2.0.14-1.1.mga8 lib(64)sdl2.0-devel-2.0.14-1.1.mga8 lib(64)sdl2.0-static-devel-2.0.14-1.1.mga8 sdl2-docs-2.0.14-1.1.mga8 from SRPM: sdl2-2.0.14-1.1.mga8.src.rpm CVE:
(none) =>
CVE-2021-33657 mga8, x64 Installed the Core packages. Ran a quick test by compiling loopwave.c against the libraries and played a WAV file in a loop using the executable. Updated OK. Recompiled loopwave. That works. Installed sdl2_mixer-player. $ sudo updatedb $ locate sdl2_mixer ..... /usr/share/doc/sdl2_mixer-player/README.txt $ which playwave /usr/bin/playwave $ strace -o sdl.trace playwave BadMoonRising.wav $ grep SDL sdl.trace openat(AT_FDCWD, "/lib64/libSDL2_mixer-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libSDL2-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 `urpmq --whatrequires lib64sdl2` returns a long list of applications including blender and several games. Chose neverball and tried the Easy option. $ grep SDL neverball.trace openat(AT_FDCWD, "/lib64/libSDL2_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libSDL2-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 Sending this on. CC:
(none) =>
tarazed25 Validating. Advisory in Comment 4. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Dave Hodgins
2022-09-08 18:46:31 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0326.html Resolution:
(none) =>
FIXED |