(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13626): SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c. Gentoo Security Padawan (domhnall)
The CVE links to https://bugzilla.libsdl.org/show_bug.cgi?id=4522 but the main issue is at https://bugzilla.libsdl.org/show_bug.cgi?id=3894. The patches are quite heavy and there's talk of a 2.0.10 release so I'll sit tight for the moment.
commit 1ab804d7dfd299720ab731ce28d75c0e647b34b0 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Jul 26 13:34:10 2019 media-libs/libsdl2: Bump to version 2.0.10 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
@arches, please stabilize.
arm64 stable
x86 stable
amd64 stable
This issue was resolved and addressed in GLSA 201909-07 at https://security.gentoo.org/glsa/201909-07 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
ia64/ppc/ppc64 stable
arm stable
alpha stable all arches done
(In reply to Matt Turner from comment #11) > alpha stable I don't see that. $ eshowkw libsdl2 Keywords for media-libs/libsdl2: | | u | | a a a p s r | n | | l m r i p h m s p i m | e u s | r | p d a m a p c x p 6 3 a s i | a s l | e | h 6 r 6 6 p 6 8 p 8 9 s r c p | p e o | p | a 4 m 4 4 c 4 6 a k 0 h c v s | i d t | o ----------+-------------------------------+-------+------- 2.0.9 | + + + + + + + + ~ o o o + o o | 6 o 0 | gentoo [I]2.0.10 | ~ + + + + + + + ~ o o o ~ o o | 7 o | gentoo
(This also fixes CVE-2019-13616). (In reply to Andreas Sturmlechner from comment #12) > (In reply to Matt Turner from comment #11) > > alpha stable > > I don't see that. > > $ eshowkw libsdl2 > Keywords for media-libs/libsdl2: > | | u | > | a a a p s r | n | > | l m r i p h m s p i m | e u s | r > | p d a m a p c x p 6 3 a s i | a s l | e > | h 6 r 6 6 p 6 8 p 8 9 s r c p | p e o | p > | a 4 m 4 4 c 4 6 a k 0 h c v s | i d t | o > ----------+-------------------------------+-------+------- > 2.0.9 | + + + + + + + + ~ o o o + o o | 6 o 0 | gentoo > [I]2.0.10 | ~ + + + + + + + ~ o o o ~ o o | 7 o | gentoo alpha fine now @sparc, can we have 2.0.10 stabilised?
CC'ing sparc.
commit 6dc3294df3f025de37127eb400cf4289c403f609 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Fri Mar 27 08:49:53 2020 +0100 media-libs/libsdl2: stable 2.0.10 for sparc, bug #690064
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1124f943b9eea126703d0c1df75df502e104232c commit 1124f943b9eea126703d0c1df75df502e104232c Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-04-02 22:39:54 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-04-02 22:39:54 +0000 media-libs/libsdl2: Drop old and vulnerable 2.0.9 Bug: https://bugs.gentoo.org/690064 Package-Manager: Portage-2.3.96, Repoman-2.3.20 Signed-off-by: James Le Cuirot <chewi@gentoo.org> media-libs/libsdl2/Manifest | 1 - .../libsdl2/files/libsdl2-2.0.6-static-libs.patch | 44 ----- media-libs/libsdl2/libsdl2-2.0.9.ebuild | 189 --------------------- 3 files changed, 234 deletions(-)
Thanks for cleaning up quickly. GLSA done, tree clean => closing.