Bug 30786

Summary: SDL12 new security issue CVE-2022-34568
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: SDL12-1.2.15-26.mga8.src.rpm CVE: CVE-2022-34568
Status comment:
Bug Depends on:    
Bug Blocks: 30293    

Description David Walser 2022-08-29 23:59:35 CEST 
Ubuntu has issued an advisory today (August 29):
https://ubuntu.com/security/notices/USN-5586-1
David Walser 2022-08-29 23:59:48 CEST

Blocks: (none) => 30293
Status comment: (none) => Patches available from upstream and Ubuntu

Comment 1 Lewis Smith 2022-08-31 08:36:59 CEST 
I cannot find this to see who has dealt with it before, so assigning this update globally (which would probably be the case anyway).

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-08-31 09:43:55 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution. (CVE-2021-33657)

SDL v1.2 was discovered to contain a use-after-free via the XFree function at /src/video/x11/SDL_x11yuv.c. (CVE-2022-34568)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34568
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/
https://ubuntu.com/security/notices/USN-5398-1
https://ubuntu.com/security/notices/USN-5586-1
========================

Updated packages in core/updates_testing:
========================
lib64SDL1.2_0-1.2.15-26.1.mga8
lib64SDL-devel-1.2.15-26.1.mga8
lib64SDL-static-devel-1.2.15-26.1.mga8

from SRPM:
SDL12-1.2.15-26.1.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-34568
Status comment: Patches available from upstream and Ubuntu => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Thomas Andrews 2022-09-12 04:48:14 CEST 
Used Qarepo to download these packages and those from companion bug 30293. No installation issues.

Followed the lead of Bug 24496, except that this time I chose a game I have spent far too much time playing on my Android tablet, Frozen Bubble.

$ strace -o libSDL.txt frozen-bubble

Played five levels, then quit. The resulting strace file showed numerous references to libSDL-1.2.so.0 so it looks good to me.

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-09-16 19:54:08 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-09-16 21:41:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0332.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED