+++ This bug was initially created as a clone of Bug #24496 +++ Fedora has issued an advisory on February 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/ Mageia 6 is also affected. The sdl2 package is also affected.
Source RPM: sdl2-2.0.9-1.mga7.src => sdl2-2.0.9-1.mga7.src.rpmWhiteboard: (none) => MGA6TOO
Assigning to our registered sdl2 maintainer.
CC: (none) => marja11Assignee: bugsquad => rverschelde
Source RPM: sdl2-2.0.9-1.mga7.src.rpm => sdl2-2.0.9-1.mga7.src.rpm, mingw-sdl2
I backported the fixes for SDL 1.2 in bug 24496. I'll wait for now with SDL2 as most of the patches haven't been accepted/merged upstream yet, and Fedora hasn't tried to cherry-pick them either. Upstream is usually relatively quick to respond to security vulnerabilities, so it might be worth waiting for 2.0.10 fixing those.
SUSE has issued an advisory for this on April 15: http://lists.suse.com/pipermail/sle-security-updates/2019-April/005337.html
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
For the reference, still waiting for 2.0.10 which should be right around the corner: https://discourse.libsdl.org/t/sdl-2-0-10-prerelease/26300
Cauldron seems fixed with latest 2.0.10 release! So Rémi can you look for mga7 and mga6, please?
CC: (none) => geiger.david68210
David pointed out to me that 2.0.10 also fixes CVE-2019-13616: https://security-tracker.debian.org/tracker/CVE-2019-13616
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOSummary: sdl2 new security issues CVE-2019-757[2-8] and CVE-2019-763[5-8] => sdl2 new security issues CVE-2019-757[2-8], CVE-2019-763[5-8], and CVE-2019-13616
Working on it.
Status: NEW => ASSIGNED
Source RPM: sdl2-2.0.9-1.mga7.src.rpm, mingw-sdl2 => sdl2-2.0.9-1.mga7, mingw-SDL2-2.0.9-1.mga7
Advisory: ========= Updated sdl2 packages fix security vulnerabilities This release fixes various buffer overflows when parsing or processing damaged Waveform audio and BMP image files. - Fix CVE-2019-7572 (a buffer overread in IMA_ADPCM_nibble) (rhbz#1676754) - Fix CVE-2019-7572 (a buffer overwrite in IMA_ADPCM_nibble) (rhbz#1676754) - Fix CVE-2019-7573, CVE-2019-7576 (buffer overreads in InitMS_ADPCM) (rhbz#1676752, rhbz#1676756) - Fix CVE-2019-7574 (a buffer overread in IMA_ADPCM_decode) (rhbz#1676750) - Fix CVE-2019-7575 (a buffer overwrite in MS_ADPCM_decode) (rhbz#1676744) - Fix CVE-2019-7577 (a buffer overread in MS_ADPCM_decode) (rhbz#1676510) - Fix CVE-2019-7578 (a buffer overread in InitIMA_ADPCM) (rhbz#1676782) - Fix CVE-2019-7635 (a buffer overread when blitting a BMP image with pixel colors out the palette) (rhbz#1677159) - Fix CVE-2019-7636, CVE-2019-7638 (buffer overflows when processing BMP images with too high number of colors) (rhbz#1677144, rhbz#1677157) - Fix CVE-2019-7637 (an integer overflow in SDL_CalculatePitch) (rhbz#1677152) - Reject 2, 3, 5, 6, 7-bpp BMP images (rhbz#1677159) - Fix CVE-2010-13616 (heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c) The 2.0.10 release also provides various features and bug fixes. References: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OHEXXGCOKNICFBDMNVYYDTSDLQ42K5G5/ - https://security-tracker.debian.org/tracker/CVE-2019-13616 - https://hg.libsdl.org/SDL/file/bc90ce38f1e2/WhatsNew.txt RPMs in 6 & 7 core/updates_testing: =================================== lib64sdl2.0_0-2.0.10-1.mga[67] lib64sdl2.0-devel-2.0.10-1.mga[67] lib64sdl2.0-static-devel-2.0.10-1.mga[67] sdl2-docs-2.0.10-1.mga[67] mingw32-SDL2-2.0.10-1.mga[67] mingw32-SDL2-static-2.0.10-1.mga[67] mingw64-SDL2-2.0.10-1.mga[67] mingw64-SDL2-static-2.0.10-1.mga[67] SRPMs in 6 & 7 core/updates_testing: ==================================== sdl2-2.0.10-1.mga6 mingw-SDL2-2.0.10-1.mga6 sdl2-2.0.10-1.mga7 mingw-SDL2-2.0.10-1.mga7
Assignee: rverschelde => qa-bugs
This is another one where the ASAN POC files need certain test utilities, like testsprite.
CC: (none) => tarazed25
Created attachment 11268 [details] Failed attempt at compiling testsprite.c.
I'm guessing that version of testsprite is for SDL 1.2.
Quite right David. I had just seen that. The RedHat link leads to discussions covering versions 1.2 onwards, centring on audio/SDL_wave.c. Found the source for loopwave.c at https://android.googlesource.com/platform/external/qemu/+/android-4.2.2_r1.2/distrib/sdl-1.2.15/test/loopwave.c It needed a little editing before compiling. $ gcc -o loopwave -I/usr/include/SDL2 -lSDL2 loopwave.c loopwave.c: In function ‘main’: loopwave.c:88:60: warning: passing argument 1 of ‘SDL_GetAudioDeviceName’ makes integer from pointer without a cast [-Wint-conversion] printf("Using audio driver: %s\n", SDL_GetAudioDeviceName(name, 32)); ^~~~ In file included from /usr/include/SDL2/SDL.h:36, from loopwave.c:12: /usr/include/SDL2/SDL_audio.h:359:37: note: expected ‘int’ but argument is of type ‘char *’ extern DECLSPEC const char *SDLCALL SDL_GetAudioDeviceName(int index, ^~~~~~~~~~~~~~~~~~~~~~ Despite these errors it produced a viable binary file. Not entirely confident about the API here after seeing the troubles with testsprite.c. Duh! Just noticed that the link specifically indicates sdl-1.2.15, so cancelling all the POC tests, which involved loopwave, testsprite and graywin. Four hours work down the drain.
mga7, x86_64 Ignoring the POC because the test programs are not readily available for SDL2. Updated all the packages. The libraries are required by a considerable number of games and utilities such as mpv. Running strace while playing audio and video tracks with mpv shows that libSDL2-2.0 is opened successfully. Installing neverball pulled in lib64sdl2_ttf2.0_0 which was heavily used during play. Game working fine. $ strace -o trace fallingtime SDL initialisation succeeded SDL_CreateWindow succeeded SDL_CreateRenderer succeeded Mix_OpenAudio succeeded TTF_Init succeeded The trace showed several SDL2 libraries being used. Started blender and carried out a few primitive operations. SDL2 library was opened. It looks like everything is OK for 64bits.
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK
mga6, x86_64 Updated the packages. $ urpmq --whatrequires mingw64-SDL2 | sort -u mingw64-SDL2 mingw64-SDL2_image mingw64-SDL2_mixer mingw64-SDL2_net mingw64-SDL2-static Most of the mingw programs under /bin look like programming tools so we shall skip those. pinball and neverball work fine. Played music and video tracks with mpv. blender opens and responds to 'links'. Recover Last Session indicates that there was none - correct. Blender Render shows a 3D cube, which can be manipulated. Tried duplication, moving and rotation. Working fine. OK for 64bits.
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Validating this. Advisory in comment 8 - needs to be pushed to SVN. My SSH setup does not allow me to do it.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
(In reply to Len Lawrence from comment #15) > Validating this. Advisory in comment 8 - needs to be pushed to SVN. My SSH > setup does not allow me to do it. Len, the update validation is not complete until you put "validated_update" in the Keywords box. For backports, ""validated_backport" is used.
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0239.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
This also fixed CVE-2019-13626: https://lists.opensuse.org/opensuse-updates/2019-09/msg00182.html