[ASA-201910-8] sdl: arbitrary code execution
Arch Linux Security Advisory ASA-201910-8 ========================================= Severity: High Date : 2019-10-11 CVE-ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 CVE-2019-13616 Package : sdl Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-890 Summary ======= The package sdl before version 1.2.15-13 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 1.2.15-13. # pacman -Syu "sdl>=1.2.15-13" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2019-7572 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c. - CVE-2019-7573 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop). - CVE-2019-7574 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c. - CVE-2019-7575 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c. - CVE-2019-7576 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop). - CVE-2019-7577 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. - CVE-2019-7578 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c. - CVE-2019-7635 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. - CVE-2019-7636 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c. - CVE-2019-7637 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c. - CVE-2019-7638 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c. - CVE-2019-13616 (arbitrary code execution) A heap-based buffer overflow was discovered in SDL in the SDL_BlitCopy() function, that was called while copying an existing surface into a new optimized one, due to lack of validation while loading a BMP image in the SDL_LoadBMP_RW() function. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or possibly execute code. Impact ====== An attacker can execute arbitrary code on the affected host via a crafted audio, image or video file. References ========== https://bugzilla.libsdl.org/show_bug.cgi?id=4495 https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sd... https://hg.libsdl.org/SDL/rev/e52413f52586 https://hg.libsdl.org/SDL/rev/a8afedbcaea0 https://bugzilla.libsdl.org/show_bug.cgi?id=4491 https://hg.libsdl.org/SDL/rev/388987dff7bf https://hg.libsdl.org/SDL/rev/f9a9d6c76b21 https://bugzilla.libsdl.org/show_bug.cgi?id=4496 https://hg.libsdl.org/SDL/rev/a6e3d2f5183e https://bugzilla.libsdl.org/show_bug.cgi?id=4493 https://hg.libsdl.org/SDL/rev/a936f9bd3e38 https://bugzilla.libsdl.org/show_bug.cgi?id=4490 https://bugzilla.libsdl.org/show_bug.cgi?id=4492 https://hg.libsdl.org/SDL/rev/faf9bbcfb5f https://hg.libsdl.org/SDL/rev/416136310b88 https://bugzilla.libsdl.org/show_bug.cgi?id=4494 https://bugzilla.libsdl.org/show_bug.cgi?id=4498 https://hg.libsdl.org/SDL/rev/7c643f1c1887 https://hg.libsdl.org/SDL/rev/f1f5878be5db https://bugzilla.libsdl.org/show_bug.cgi?id=4499 https://hg.libsdl.org/SDL/rev/19d8c3b9c251 https://hg.libsdl.org/SDL/rev/07c39cbbeacf https://bugzilla.libsdl.org/show_bug.cgi?id=4497 https://hg.libsdl.org/SDL/rev/9b0e5c555c0f https://bugzilla.libsdl.org/show_bug.cgi?id=4500 https://bugzilla.libsdl.org/show_bug.cgi?id=4538 https://hg.libsdl.org/SDL/rev/ad1bbfbca760 https://security.archlinux.org/CVE-2019-7572 https://security.archlinux.org/CVE-2019-7573 https://security.archlinux.org/CVE-2019-7574 https://security.archlinux.org/CVE-2019-7575 https://security.archlinux.org/CVE-2019-7576 https://security.archlinux.org/CVE-2019-7577 https://security.archlinux.org/CVE-2019-7578 https://security.archlinux.org/CVE-2019-7635 https://security.archlinux.org/CVE-2019-7636 https://security.archlinux.org/CVE-2019-7637 https://security.archlinux.org/CVE-2019-7638 https://security.archlinux.org/CVE-2019-13616a
participants (1)
-
Santiago Torres-Arias