Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 690064 (CVE-2019-13626)

Summary: <media-libs/libsdl2-2.0.10: integer overflow in audio/SDL_wave.c
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: games
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.libsdl.org/show_bug.cgi?id=4522
See Also: https://bugs.gentoo.org/show_bug.cgi?id=692392
Whiteboard: B3 [glsa+ cve]
Package list:
media-libs/libsdl2-2.0.10
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 692392    

Description D'juan McDonald (domhnall) 2019-07-17 16:22:08 UTC
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13626):

SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.



Gentoo Security Padawan
(domhnall)
Comment 1 James Le Cuirot gentoo-dev 2019-07-17 20:16:45 UTC
The CVE links to https://bugzilla.libsdl.org/show_bug.cgi?id=4522 but the main issue is at https://bugzilla.libsdl.org/show_bug.cgi?id=3894. The patches are quite heavy and there's talk of a 2.0.10 release so I'll sit tight for the moment.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-07-26 15:05:58 UTC
commit 1ab804d7dfd299720ab731ce28d75c0e647b34b0
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Jul 26 13:34:10 2019

    media-libs/libsdl2: Bump to version 2.0.10

    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-09-06 23:25:40 UTC
@arches, please stabilize.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-09-07 01:52:06 UTC
arm64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-08 01:14:28 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-09-08 10:42:28 UTC
amd64 stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-09-08 17:47:13 UTC
This issue was resolved and addressed in
 GLSA 201909-07 at https://security.gentoo.org/glsa/201909-07
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-09-08 17:48:31 UTC
Re-opening for remaining architectures.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-09-08 18:42:09 UTC
ia64/ppc/ppc64 stable
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-09-13 15:50:30 UTC
arm stable
Comment 11 Matt Turner gentoo-dev 2019-10-14 03:15:20 UTC
alpha stable

all arches done
Comment 12 Andreas Sturmlechner gentoo-dev 2019-11-15 01:27:22 UTC
(In reply to Matt Turner from comment #11)
> alpha stable

I don't see that.

$ eshowkw libsdl2
Keywords for media-libs/libsdl2:
          |                               |   u   |  
          | a a   a     p           s r   |   n   |  
          | l m   r i   p   h m s   p i m | e u s | r
          | p d a m a p c x p 6 3   a s i | a s l | e
          | h 6 r 6 6 p 6 8 p 8 9 s r c p | p e o | p
          | a 4 m 4 4 c 4 6 a k 0 h c v s | i d t | o
----------+-------------------------------+-------+-------
    2.0.9 | + + + + + + + + ~ o o o + o o | 6 o 0 | gentoo
[I]2.0.10 | ~ + + + + + + + ~ o o o ~ o o | 7 o   | gentoo
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 15:49:27 UTC
(This also fixes CVE-2019-13616).

(In reply to Andreas Sturmlechner from comment #12)
> (In reply to Matt Turner from comment #11)
> > alpha stable
> 
> I don't see that.
> 
> $ eshowkw libsdl2
> Keywords for media-libs/libsdl2:
>           |                               |   u   |  
>           | a a   a     p           s r   |   n   |  
>           | l m   r i   p   h m s   p i m | e u s | r
>           | p d a m a p c x p 6 3   a s i | a s l | e
>           | h 6 r 6 6 p 6 8 p 8 9 s r c p | p e o | p
>           | a 4 m 4 4 c 4 6 a k 0 h c v s | i d t | o
> ----------+-------------------------------+-------+-------
>     2.0.9 | + + + + + + + + ~ o o o + o o | 6 o 0 | gentoo
> [I]2.0.10 | ~ + + + + + + + ~ o o o ~ o o | 7 o   | gentoo

alpha fine now

@sparc, can we have 2.0.10 stabilised?
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-26 18:29:59 UTC
CC'ing sparc.
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-28 22:39:56 UTC
commit 6dc3294df3f025de37127eb400cf4289c403f609
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Fri Mar 27 08:49:53 2020 +0100

    media-libs/libsdl2: stable 2.0.10 for sparc, bug #690064
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 08:56:01 UTC
@maintainer(s), please cleanup
Comment 17 Larry the Git Cow gentoo-dev 2020-04-02 22:40:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1124f943b9eea126703d0c1df75df502e104232c

commit 1124f943b9eea126703d0c1df75df502e104232c
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-04-02 22:39:54 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-04-02 22:39:54 +0000

    media-libs/libsdl2: Drop old and vulnerable 2.0.9
    
    Bug: https://bugs.gentoo.org/690064
    Package-Manager: Portage-2.3.96, Repoman-2.3.20
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/libsdl2/Manifest                        |   1 -
 .../libsdl2/files/libsdl2-2.0.6-static-libs.patch  |  44 -----
 media-libs/libsdl2/libsdl2-2.0.9.ebuild            | 189 ---------------------
 3 files changed, 234 deletions(-)
Comment 18 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 22:47:55 UTC
Thanks for cleaning up quickly. GLSA done, tree clean => closing.