Fedora has issued an advisory on February 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/ Mageia 6 is also affected.
Status comment: (none) => Patches available from FedoraWhiteboard: (none) => MGA6TOO
Assigning to our registered SDL12 maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Source RPM: SDL12-1.2.15-22.mga7.src.rpm => SDL12-1.2.15-22.mga7.src.rpm, mingw-SDL
Updated Fedora advisory (update fix for one CVE): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UFYUCO6D5APPM7IOZ5WOCYVY4DKSXFKD/
Assignee: shlomif => rverschelde
Fixed in Cauldron with SDL12-1.2.15-23.mga7 and mingw-SDL-1.2.15-10.mga7. Update candidate for Mageia 6 below: Advisory: ========= This release fixes various buffer overflows when parsing or processing damaged Waveform audio and BMP image files. - Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (rhbz#1676510) - Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (rhbz#1676744) - Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (rhbz#1676750) - Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (rhbz#1676754) - Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (rhbz#1676754) - Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM) (rhbz#1676752, rhbz#1676756) - Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (rhbz#1676782) - Fix CVE-2019-7638, CVE-2019-7636 (buffer overflows when processing BMP images with too high number of colors) (rhbz#1677144, rhbz#1677157) - Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (rhbz#1677152) - Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel colors out the palette) (rhbz#1677159) - Reject 2, 3, 5, 6, 7-bpp BMP images (rhbz#1677159) References: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/ RPMs in core/updates_testing: ============================= lib64SDL1.2_0-1.2.15-19.1.mga6 lib64SDL-devel-1.2.15-19.1.mga6 lib64SDL-static-devel-1.2.15-19.1.mga6 mingw32-SDL-1.2.15-8.1.mga6 mingw64-SDL-1.2.15-8.1.mga6 SRPMs in core/updates_testing: ============================== SDL12-1.2.15-19.1.mga6 mingw-SDL-1.2.15-8.1.mga6
Assignee: rverschelde => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
MGA6-32 MATE on IBM Thinpad R50e No installation issues I do not have specfic HW as per bug 11800, however there are a lot of dependencies on libSDL1.2_0 listed as result of # urpmq --whatrequires libSDL1.2_0 I picked pinball and run $ strace -o libSDL.txt pinball and loaded a the tux table and launched a ball. checked the trace file and found ref to libSDL-1.2.so.0 Good for me.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Following Herman's lead, I installed pinball and played a game, then installed the lib64SDL update and played some more. I tried the Gnu and Professor tables, got a higher score with each game. Good fun - reminded me of the pinball games I played back in my Atari 8-bit/ST days. No installation issues, no regressions noted. OKing for 64-bit and validating. Suggested advisory in Comment 3.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0127.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED