Bug 30293 - sdl2, SDL12 new security issue CVE-2021-33657
Summary: sdl2, SDL12 new security issue CVE-2021-33657
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 30786
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-15 20:33 CEST by David Walser
Modified: 2022-09-16 21:41 CEST (History)
5 users (show)

See Also:
Source RPM: sdl2-2.0.14-1.mga8.src.rpm, SDL12-1.2.15-26.mga8.src.rpm
CVE: CVE-2021-33657
Status comment:


Attachments

Description David Walser 2022-04-15 20:33:53 CEST
SUSE has issued an advisory on April 14:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html

The issue is fixed upstream in sdl2 2.0.20.

SDL12 is also affected, and the SUSE bug mentions a backported fix:
https://bugzilla.suse.com/show_bug.cgi?id=1198001#c4
David Walser 2022-04-15 20:34:21 CEST

Status comment: (none) => Fixed upstream in 2.0.20

Comment 1 David Walser 2022-04-15 20:35:48 CEST
openSUSE has issued an advisory for this on April 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/

So we should be able to find their SDL12 fix on build.opensuse.org as well.
Comment 2 Lewis Smith 2022-04-15 21:25:36 CEST
sdl2 is with akien; SDL12 is parentless, and I cannot see who has maintined it for M8 - it is not visible in Cauldron.
So assigning this to Rémi.

Assignee: bugsquad => rverschelde

Comment 3 David Walser 2022-05-02 19:37:00 CEST
Ubuntu has issued an advisory for this on April 28:
https://ubuntu.com/security/notices/USN-5398-1
David Walser 2022-08-29 23:59:48 CEST

Depends on: (none) => 30786

Comment 4 Nicolas Salguero 2022-08-31 09:44:14 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution. (CVE-2021-33657)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33657
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/
https://ubuntu.com/security/notices/USN-5398-1
========================

Updated packages in core/updates_testing:
========================
lib(64)sdl2.0_0-2.0.14-1.1.mga8
lib(64)sdl2.0-devel-2.0.14-1.1.mga8
lib(64)sdl2.0-static-devel-2.0.14-1.1.mga8
sdl2-docs-2.0.14-1.1.mga8

from SRPM:
sdl2-2.0.14-1.1.mga8.src.rpm

CVE: (none) => CVE-2021-33657
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: rverschelde => qa-bugs
Status comment: Fixed upstream in 2.0.20 => (none)

Comment 5 Len Lawrence 2022-09-08 12:17:29 CEST
mga8, x64

Installed the Core packages.  Ran a quick test by compiling loopwave.c against the libraries and played a WAV file in a loop using the executable.

Updated OK.

Recompiled loopwave.  That works.  Installed sdl2_mixer-player.
$ sudo updatedb
$ locate sdl2_mixer
.....
/usr/share/doc/sdl2_mixer-player/README.txt
$ which playwave
/usr/bin/playwave
$ strace -o sdl.trace playwave BadMoonRising.wav
$ grep SDL sdl.trace
openat(AT_FDCWD, "/lib64/libSDL2_mixer-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libSDL2-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

`urpmq --whatrequires lib64sdl2` returns a long list of applications including blender and several games.  Chose neverball and tried the Easy option.
$ grep SDL neverball.trace
openat(AT_FDCWD, "/lib64/libSDL2_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libSDL2-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3

Sending this on.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-09-08 14:02:32 CEST
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-08 18:46:31 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-09-16 21:41:25 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0326.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.