Bug 24497 - sdl2 new security issues CVE-2019-757[2-8], CVE-2019-763[5-8], and CVE-2019-13616
Summary: sdl2 new security issues CVE-2019-757[2-8], CVE-2019-763[5-8], and CVE-2019-1...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2019-03-12 15:37 CET by David Walser
Modified: 2019-11-26 23:42 CET (History)
6 users (show)

See Also:
Source RPM: sdl2-2.0.9-1.mga7, mingw-SDL2-2.0.9-1.mga7
Status comment:

Failed attempt at compiling testsprite.c. (5.42 KB, text/plain)
2019-09-01 16:59 CEST, Len Lawrence

Description David Walser 2019-03-12 15:37:28 CET
+++ This bug was initially created as a clone of Bug #24496 +++

Fedora has issued an advisory on February 26:

Mageia 6 is also affected.

The sdl2 package is also affected.
David Walser 2019-03-12 15:37:42 CET

Source RPM: sdl2-2.0.9-1.mga7.src => sdl2-2.0.9-1.mga7.src.rpm
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-03-14 15:56:19 CET
Assigning to our registered sdl2  maintainer.

CC: (none) => marja11
Assignee: bugsquad => rverschelde

Rémi Verschelde 2019-03-16 20:48:47 CET

Source RPM: sdl2-2.0.9-1.mga7.src.rpm => sdl2-2.0.9-1.mga7.src.rpm, mingw-sdl2

Comment 2 Rémi Verschelde 2019-03-29 11:47:41 CET
I backported the fixes for SDL 1.2 in bug 24496.

I'll wait for now with SDL2 as most of the patches haven't been accepted/merged upstream yet, and Fedora hasn't tried to cherry-pick them either. Upstream is usually relatively quick to respond to security vulnerabilities, so it might be worth waiting for 2.0.10 fixing those.
Comment 3 David Walser 2019-04-25 00:22:16 CEST
SUSE has issued an advisory for this on April 15:
David Walser 2019-06-23 19:20:31 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 4 Rémi Verschelde 2019-06-23 21:02:58 CEST
For the reference, still waiting for 2.0.10 which should be right around the corner: https://discourse.libsdl.org/t/sdl-2-0-10-prerelease/26300
Comment 5 David GEIGER 2019-08-30 15:24:07 CEST
Cauldron seems fixed with latest 2.0.10 release!

So Rémi can you look for mga7 and mga6, please?

CC: (none) => geiger.david68210

Comment 6 David Walser 2019-08-31 03:13:29 CEST
David pointed out to me that 2.0.10 also fixes CVE-2019-13616:

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Summary: sdl2 new security issues CVE-2019-757[2-8] and CVE-2019-763[5-8] => sdl2 new security issues CVE-2019-757[2-8], CVE-2019-763[5-8], and CVE-2019-13616

Comment 7 Rémi Verschelde 2019-08-31 12:11:02 CEST
Working on it.


Rémi Verschelde 2019-08-31 12:11:46 CEST

Source RPM: sdl2-2.0.9-1.mga7.src.rpm, mingw-sdl2 => sdl2-2.0.9-1.mga7, mingw-SDL2-2.0.9-1.mga7

Comment 8 Rémi Verschelde 2019-08-31 12:25:24 CEST

Updated sdl2 packages fix security vulnerabilities

  This release fixes various buffer overflows when parsing or processing damaged
  Waveform audio and BMP image files.

  - Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (rhbz#1676754)
  - Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (rhbz#1676754)
  - Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM)
    (rhbz#1676752, rhbz#1676756)
  - Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (rhbz#1676750)
  - Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (rhbz#1676744)
  - Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (rhbz#1676510)
  - Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (rhbz#1676782)
  - Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel
    colors out the palette) (rhbz#1677159)
  - Fix CVE-2019-7636, CVE-2019-7638 (buffer overflows when processing BMP
    images with too high number of colors) (rhbz#1677144, rhbz#1677157)
  - Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (rhbz#1677152)
  - Reject 2, 3, 5, 6, 7-bpp BMP images (rhbz#1677159)
  - Fix CVE-2010-13616 (heap-based buffer over-read in BlitNtoN in
    video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c)

  The 2.0.10 release also provides various features and bug fixes.

 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/
 - https://security-tracker.debian.org/tracker/CVE-2019-13616
 - https://hg.libsdl.org/SDL/file/bc90ce38f1e2/WhatsNew.txt

RPMs in 6 & 7 core/updates_testing:



SRPMs in 6 & 7 core/updates_testing:



Assignee: rverschelde => qa-bugs

Comment 9 Len Lawrence 2019-09-01 01:47:54 CEST
This is another one where the ASAN POC files need certain test utilities, like testsprite.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2019-09-01 16:59:04 CEST
Created attachment 11268 [details]
Failed attempt at compiling testsprite.c.
Comment 11 David Walser 2019-09-01 17:09:49 CEST
I'm guessing that version of testsprite is for SDL 1.2.
Comment 12 Len Lawrence 2019-09-01 17:15:01 CEST
Quite right David.  I had just seen that.

The RedHat link leads to discussions covering versions 1.2 onwards, centring on audio/SDL_wave.c.

Found the source for loopwave.c at https://android.googlesource.com/platform/external/qemu/+/android-4.2.2_r1.2/distrib/sdl-1.2.15/test/loopwave.c
It needed a little editing before compiling.
$ gcc -o loopwave -I/usr/include/SDL2 -lSDL2 loopwave.c
loopwave.c: In function ‘main’:
loopwave.c:88:60: warning: passing argument 1 of ‘SDL_GetAudioDeviceName’ makes integer from pointer without a cast [-Wint-conversion]
  printf("Using audio driver: %s\n", SDL_GetAudioDeviceName(name, 32));
In file included from /usr/include/SDL2/SDL.h:36,
                 from loopwave.c:12:
/usr/include/SDL2/SDL_audio.h:359:37: note: expected ‘int’ but argument is of type ‘char *’
 extern DECLSPEC const char *SDLCALL SDL_GetAudioDeviceName(int index,

Despite these errors it produced a viable binary file.
Not entirely confident about the API here after seeing the troubles with testsprite.c.  Duh!  Just noticed that the link specifically indicates sdl-1.2.15, so cancelling all the POC tests, which involved loopwave, testsprite and graywin.  Four hours work down the drain.
Comment 13 Len Lawrence 2019-09-01 19:25:41 CEST
mga7, x86_64

Ignoring the POC because the test programs are not readily available for SDL2.

Updated all the packages.

The libraries are required by a considerable number of games and utilities such as mpv.  Running strace while playing audio and video tracks with mpv shows that libSDL2-2.0 is opened successfully.

Installing neverball pulled in lib64sdl2_ttf2.0_0 which was heavily used during play.  Game working fine.

$ strace -o trace fallingtime
SDL initialisation succeeded
SDL_CreateWindow succeeded
SDL_CreateRenderer succeeded
Mix_OpenAudio succeeded
TTF_Init succeeded

The trace showed several SDL2 libraries being used.

Started blender and carried out a few primitive operations.  SDL2 library was opened.

It looks like everything is OK for 64bits.

Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK

Comment 14 Len Lawrence 2019-09-03 10:30:49 CEST
mga6, x86_64

Updated the packages.

$ urpmq --whatrequires mingw64-SDL2 | sort -u

Most of the mingw programs under /bin look like programming tools so we shall skip those.
pinball and neverball work fine.
Played music and video tracks with mpv.

blender opens and responds to 'links'.
Recover Last Session indicates that there was none - correct.
Blender Render shows a 3D cube, which can be manipulated.  Tried duplication, moving and rotation.  Working fine.

OK for 64bits.

Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 15 Len Lawrence 2019-09-03 19:13:05 CEST
Validating this.  Advisory in comment 8 - needs to be pushed to SVN.  My SSH setup does not allow me to do it.
Thomas Andrews 2019-09-05 04:52:04 CEST

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 16 Thomas Andrews 2019-09-05 04:58:33 CEST
(In reply to Len Lawrence from comment #15)
> Validating this.  Advisory in comment 8 - needs to be pushed to SVN.  My SSH
> setup does not allow me to do it.

Len, the update validation is not complete until you put "validated_update" in the Keywords box. For backports, ""validated_backport" is used.
Thomas Backlund 2019-09-06 17:59:26 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 17 Mageia Robot 2019-09-06 23:10:59 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 18 David Walser 2019-11-26 23:42:36 CET
This also fixed CVE-2019-13626:

Note You need to log in before you can comment on or make changes to this bug.