SUSE has issued an advisory on April 14: https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html The issue is fixed upstream in sdl2 2.0.20. SDL12 is also affected, and the SUSE bug mentions a backported fix: https://bugzilla.suse.com/show_bug.cgi?id=1198001#c4
Status comment: (none) => Fixed upstream in 2.0.20
openSUSE has issued an advisory for this on April 14: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/ So we should be able to find their SDL12 fix on build.opensuse.org as well.
sdl2 is with akien; SDL12 is parentless, and I cannot see who has maintined it for M8 - it is not visible in Cauldron. So assigning this to Rémi.
Assignee: bugsquad => rverschelde
Ubuntu has issued an advisory for this on April 28: https://ubuntu.com/security/notices/USN-5398-1
Depends on: (none) => 30786
Suggested advisory: ======================== The updated packages fix a security vulnerability: There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution. (CVE-2021-33657) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33657 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/ https://ubuntu.com/security/notices/USN-5398-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)sdl2.0_0-2.0.14-1.1.mga8 lib(64)sdl2.0-devel-2.0.14-1.1.mga8 lib(64)sdl2.0-static-devel-2.0.14-1.1.mga8 sdl2-docs-2.0.14-1.1.mga8 from SRPM: sdl2-2.0.14-1.1.mga8.src.rpm
CVE: (none) => CVE-2021-33657Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroAssignee: rverschelde => qa-bugsStatus comment: Fixed upstream in 2.0.20 => (none)
mga8, x64 Installed the Core packages. Ran a quick test by compiling loopwave.c against the libraries and played a WAV file in a loop using the executable. Updated OK. Recompiled loopwave. That works. Installed sdl2_mixer-player. $ sudo updatedb $ locate sdl2_mixer ..... /usr/share/doc/sdl2_mixer-player/README.txt $ which playwave /usr/bin/playwave $ strace -o sdl.trace playwave BadMoonRising.wav $ grep SDL sdl.trace openat(AT_FDCWD, "/lib64/libSDL2_mixer-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libSDL2-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 `urpmq --whatrequires lib64sdl2` returns a long list of applications including blender and several games. Chose neverball and tried the Easy option. $ grep SDL neverball.trace openat(AT_FDCWD, "/lib64/libSDL2_ttf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/lib64/libSDL2-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 Sending this on.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0326.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED