Bug 52728 – libsdl2: Multiple issues (4.4)

Bug 52728 - libsdl2: Multiple issues (4.4)


Summary:	libsdl2: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-7-errata
Assigned To:	Quality Assurance
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-02-01 09:10 CET by Quality Assurance
Modified:	2021-02-03 15:04 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	8.4 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2021-02-01 09:10:27 CET

New Debian libsdl2 2.0.5+dfsg1-2+deb9u1 fixes:
This update addresses the following issues:
* Heap based buffer overflow in function MS_ADPCM_decode in audio/SDL_wave.c  (CVE-2019-7575)
* Buffer over-read in function SDL_LoadWAV_RW in audio/SDL_wave.c  (CVE-2019-7577)
* heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c  (CVE-2019-7578)
* heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c  (CVE-2019-7635)
* heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c  (CVE-2019-7636)
* heap-based buffer over-read in Map1toN in video/SDL_pixels.c  (CVE-2019-7638)
* heap-based buffer overflow in SDL blit functions in video/SDL_blit*.c  (CVE-2019-13616)
* Integer overflow in SDL_BlitCopy in video/SDL_blit_copy.c via a crafted  .BMP file (CVE-2020-14409)
* Heap-based buffer over-read in Blit_3or4_to_3or4__inversed_rgb in  video/SDL_blit_N.c via a crafted .BMP file (CVE-2020-14410)

Comment 1 Quality Assurance

2021-02-01 10:00:18 CET

--- mirror/ftp/4.3/unmaintained/4.3-0/source/libsdl2_2.0.5+dfsg1-2.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/libsdl2_2.0.5+dfsg1-2+deb9u1.dsc
@@ -1,3 +1,29 @@
+2.0.5+dfsg1-2+deb9u1 [Thu, 28 Jan 2021 20:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2020-14409 and CVE-2020-14410
+    Fix for buffer overflow and integer overflow which might result
+    in a DoS or remote code execution by using a crafted .BMP file.
+  * CVE-2019-7575
+    Fix for a heap-based buffer overflow in MS_ADPCM_decode in
+    audio/SDL_wave.c.
+  * CVE-2019-7577
+    Fix for a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.
+  * CVE-2019-7578
+    If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
+    could read past the end of chunk data.
+  * CVE-2019-7635
+    Fix for a heap-based buffer over-read in Blit1to4 in
+    video/SDL_blit_1.c.
+  * CVE-2019-7636
+    Fix for  a heap-based buffer over-read in SDL_GetRGB in
+    video/SDL_pixels.c.
+  * CVE-2019-7638
+    Fix for a a heap-based buffer over-read in Map1toN in
+    video/SDL_pixels.c.
+  * CVE-2019-13616
+    Fix for a heap-based buffer over-read by using a crafted .BMP file.
+
 2.0.5+dfsg1-2 [Tue, 27 Dec 2016 18:11:10 +0100] Gianfranco Costamagna <locutusofborg@debian.org>:
 
   * Team Upload.

<http://10.200.17.11/4.4-7/#512363125358187581>

Comment 2 Erik Damrose

2021-02-02 23:52:03 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] 063c498e0c Bug #52728: libsdl2 2.0.5+dfsg1-2+deb9u1
 doc/errata/staging/libsdl2.yaml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

Comment 3 Erik Damrose

2021-02-03 15:04:09 CET

<https://errata.software-univention.de/#/?erratum=4.4x879>