Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692386 (CVE-2019-13616, CVE-2019-7572, CVE-2019-7573, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576, CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7636, CVE-2019-7638)

Summary: [TRACKER] Simple DirectMedia Layer: multiple vulnerabilities (CVE-2019-{7572,7573,7574,7575,7576,7577,7578,7635,7636,7638,13616})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal Keywords: Tracker
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 692388, 772194, 692392    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-17 22:37:12 UTC 
CVE-2019-7572 (https://nvd.nist.gov/vuln/detail/CVE-2019-7572):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.

CVE-2019-7573 (https://nvd.nist.gov/vuln/detail/CVE-2019-7573):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the
  wNumCoef loop).

CVE-2019-7574 (https://nvd.nist.gov/vuln/detail/CVE-2019-7574):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.

CVE-2019-7575 (https://nvd.nist.gov/vuln/detail/CVE-2019-7575):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.

CVE-2019-7576 (https://nvd.nist.gov/vuln/detail/CVE-2019-7576):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the
  wNumCoef loop).

CVE-2019-7577 (https://nvd.nist.gov/vuln/detail/CVE-2019-7577):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.

CVE-2019-7578 (https://nvd.nist.gov/vuln/detail/CVE-2019-7578):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.

CVE-2019-7635 (https://nvd.nist.gov/vuln/detail/CVE-2019-7635):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.

CVE-2019-7636 (https://nvd.nist.gov/vuln/detail/CVE-2019-7636):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.

CVE-2019-7638 (https://nvd.nist.gov/vuln/detail/CVE-2019-7638):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in Map1toN in video/SDL_pixels.c.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-22 21:48:40 UTC 
CVE-2019-13616:

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.

Upstream issue: https://github.com/libsdl-org/SDL-1.2/issues/790
Patch: https://github.com/libsdl-org/SDL-1.2/commit/31a87d75f15c7acd9470fab9ceb129c0a255871f