Arch Linux Security Advisory ASA-201910-8
========================================
Severity: High
Date    : 2019-10-11
CVE-ID  : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
          CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
          CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 CVE-2019-13616
Package : sdl
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-890

Summary
======
The package sdl before version 1.2.15-13 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 1.2.15-13.

# pacman -Syu "sdl>=1.2.15-13"

The problems have been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
- CVE-2019-7572 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.

- CVE-2019-7573 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(inside the wNumCoef loop).

- CVE-2019-7574 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.

- CVE-2019-7575 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.

- CVE-2019-7576 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(outside the wNumCoef loop).

- CVE-2019-7577 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.

- CVE-2019-7578 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.

- CVE-2019-7635 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.

- CVE-2019-7636 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.

- CVE-2019-7637 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.

- CVE-2019-7638 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in Map1toN in video/SDL_pixels.c.

- CVE-2019-13616 (arbitrary code execution)

A heap-based buffer overflow was discovered in SDL in the
SDL_BlitCopy() function, that was called while copying an existing
surface into a new optimized one, due to lack of validation while
loading a BMP image in the SDL_LoadBMP_RW() function. An application
that uses SDL to parse untrusted input files may be vulnerable to this
flaw, which could allow an attacker to make the application crash or
possibly execute code.

Impact
=====
An attacker can execute arbitrary code on the affected host via a
crafted audio, image or video file.

References
=========
https://github.com/libsdl-org/SDL/issues/3159
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720
https://github.com/libsdl-org/SDL-1.2/commit/1ead4913fc2314a0ce5de06f29a20a8b0b0a5557
https://github.com/libsdl-org/SDL-1.2/commit/f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b
https://github.com/libsdl-org/SDL/issues/3155
https://github.com/libsdl-org/SDL-1.2/commit/c4a9f0080f928f40e826c49b2e8c057ec7843c2f
https://github.com/libsdl-org/SDL/commit/3f19a6d5e85c71df0fb2b4626b943457d38c2031
https://github.com/libsdl-org/SDL-1.2/issues/785
https://github.com/libsdl-org/SDL-1.2/commit/76871a1c52dc74b8ba2357b9d68c34d765ea9db3
https://github.com/libsdl-org/SDL/issues/3157
https://github.com/libsdl-org/SDL-1.2/commit/c68e0003d2f2b4e50bb1c4412af40c32f0b6396e
https://github.com/libsdl-org/SDL-1.2/issues/835
https://github.com/libsdl-org/SDL/issues/3156
https://github.com/libsdl-org/SDL-1.2/commit/82e503c2e026a8eee64e199c2648c296d924a5ab
https://github.com/libsdl-org/SDL/issues/3158
https://github.com/libsdl-org/SDL/issues/3160
https://github.com/libsdl-org/SDL/commit/8bc59f87ecb8d7cd1e47b8a6c2c30d9c58ecf7a7
https://github.com/libsdl-org/SDL-1.2/commit/32c57bf53b18dafb7298d6e9113632728e8fe1ba
https://github.com/libsdl-org/SDL/issues/3161
https://github.com/libsdl-org/SDL-1.2/commit/3c6f20586bb4ba074c73bb3e06d7123e57d4a226
https://github.com/libsdl-org/SDL/commit/ea4c4cfc28e19ec1fc7ae69a70f70943f7933b38
https://github.com/libsdl-org/SDL-1.2/issues/786
https://github.com/libsdl-org/SDL-1.2/commit/40d97bfe0e3dae1d6e5a91a46af1f15e8f967bc8
https://github.com/libsdl-org/SDL-1.2/issues/787
https://github.com/libsdl-org/SDL-1.2/issues/790
https://github.com/libsdl-org/SDL-1.2/commit/31a87d75f15c7acd9470fab9ceb129c0a255871f
https://security.archlinux.org/CVE-2019-7572
https://security.archlinux.org/CVE-2019-7573
https://security.archlinux.org/CVE-2019-7574
https://security.archlinux.org/CVE-2019-7575
https://security.archlinux.org/CVE-2019-7576
https://security.archlinux.org/CVE-2019-7577
https://security.archlinux.org/CVE-2019-7578
https://security.archlinux.org/CVE-2019-7635
https://security.archlinux.org/CVE-2019-7636
https://security.archlinux.org/CVE-2019-7637
https://security.archlinux.org/CVE-2019-7638
https://security.archlinux.org/CVE-2019-13616a

ArchLinux: 201910-8: sdl: arbitrary code execution

October 11, 2019

Summary

- CVE-2019-7572 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.
- CVE-2019-7573 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop).
- CVE-2019-7574 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.
- CVE-2019-7575 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.
- CVE-2019-7576 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop).
- CVE-2019-7577 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.
- CVE-2019-7578 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.
- CVE-2019-7635 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.
- CVE-2019-7636 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.
- CVE-2019-7637 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.
- CVE-2019-7638 (arbitrary code execution)
SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c.
- CVE-2019-13616 (arbitrary code execution)
A heap-based buffer overflow was discovered in SDL in the SDL_BlitCopy() function, that was called while copying an existing surface into a new optimized one, due to lack of validation while loading a BMP image in the SDL_LoadBMP_RW() function. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or possibly execute code.

Resolution

Upgrade to 1.2.15-13. # pacman -Syu "sdl>=1.2.15-13"
The problems have been fixed upstream but no release is available yet.

References

https://github.com/libsdl-org/SDL/issues/3159 https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720 https://github.com/libsdl-org/SDL-1.2/commit/1ead4913fc2314a0ce5de06f29a20a8b0b0a5557 https://github.com/libsdl-org/SDL-1.2/commit/f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b https://github.com/libsdl-org/SDL/issues/3155 https://github.com/libsdl-org/SDL-1.2/commit/c4a9f0080f928f40e826c49b2e8c057ec7843c2f https://github.com/libsdl-org/SDL/commit/3f19a6d5e85c71df0fb2b4626b943457d38c2031 https://github.com/libsdl-org/SDL-1.2/issues/785 https://github.com/libsdl-org/SDL-1.2/commit/76871a1c52dc74b8ba2357b9d68c34d765ea9db3 https://github.com/libsdl-org/SDL/issues/3157 https://github.com/libsdl-org/SDL-1.2/commit/c68e0003d2f2b4e50bb1c4412af40c32f0b6396e https://github.com/libsdl-org/SDL-1.2/issues/835 https://github.com/libsdl-org/SDL/issues/3156 https://github.com/libsdl-org/SDL-1.2/commit/82e503c2e026a8eee64e199c2648c296d924a5ab https://github.com/libsdl-org/SDL/issues/3158 https://github.com/libsdl-org/SDL/issues/3160 https://github.com/libsdl-org/SDL/commit/8bc59f87ecb8d7cd1e47b8a6c2c30d9c58ecf7a7 https://github.com/libsdl-org/SDL-1.2/commit/32c57bf53b18dafb7298d6e9113632728e8fe1ba https://github.com/libsdl-org/SDL/issues/3161 https://github.com/libsdl-org/SDL-1.2/commit/3c6f20586bb4ba074c73bb3e06d7123e57d4a226 https://github.com/libsdl-org/SDL/commit/ea4c4cfc28e19ec1fc7ae69a70f70943f7933b38 https://github.com/libsdl-org/SDL-1.2/issues/786 https://github.com/libsdl-org/SDL-1.2/commit/40d97bfe0e3dae1d6e5a91a46af1f15e8f967bc8 https://github.com/libsdl-org/SDL-1.2/issues/787 https://github.com/libsdl-org/SDL-1.2/issues/790 https://github.com/libsdl-org/SDL-1.2/commit/31a87d75f15c7acd9470fab9ceb129c0a255871f https://security.archlinux.org/CVE-2019-7572 https://security.archlinux.org/CVE-2019-7573 https://security.archlinux.org/CVE-2019-7574 https://security.archlinux.org/CVE-2019-7575 https://security.archlinux.org/CVE-2019-7576 https://security.archlinux.org/CVE-2019-7577 https://security.archlinux.org/CVE-2019-7578 https://security.archlinux.org/CVE-2019-7635 https://security.archlinux.org/CVE-2019-7636 https://security.archlinux.org/CVE-2019-7637 https://security.archlinux.org/CVE-2019-7638 https://security.archlinux.org/CVE-2019-13616a

Severity
CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 CVE-2019-13616
Package : sdl
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-890

Workaround

None.

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved