Ubuntu has issued an advisory today (August 29): https://ubuntu.com/security/notices/USN-5586-1
Blocks: (none) => 30293Status comment: (none) => Patches available from upstream and Ubuntu
I cannot find this to see who has dealt with it before, so assigning this update globally (which would probably be the case anyway).
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious .BMP file, an attacker can cause the application using this library to crash, denial of service or Code execution. (CVE-2021-33657) SDL v1.2 was discovered to contain a use-after-free via the XFree function at /src/video/x11/SDL_x11yuv.c. (CVE-2022-34568) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33657 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34568 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010735.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RT4PK6MXMUBIFIGD2YA7HAH4DD43QU3Z/ https://ubuntu.com/security/notices/USN-5398-1 https://ubuntu.com/security/notices/USN-5586-1 ======================== Updated packages in core/updates_testing: ======================== lib64SDL1.2_0-1.2.15-26.1.mga8 lib64SDL-devel-1.2.15-26.1.mga8 lib64SDL-static-devel-1.2.15-26.1.mga8 from SRPM: SDL12-1.2.15-26.1.mga8.src.rpm
CC: (none) => nicolas.salgueroCVE: (none) => CVE-2022-34568Status comment: Patches available from upstream and Ubuntu => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Used Qarepo to download these packages and those from companion bug 30293. No installation issues. Followed the lead of Bug 24496, except that this time I chose a game I have spent far too much time playing on my Android tablet, Frozen Bubble. $ strace -o libSDL.txt frozen-bubble Played five levels, then quit. The resulting strace file showed numerous references to libSDL-1.2.so.0 so it looks good to me. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0332.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED