Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692388

Summary: <media-libs/libsdl-1.2.15_p20210224: multiple vulnerabilities (CVE-2019-{7572,7573,7574,7575,7576,7577,7578,7635,7636,7638,13616})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, games, sam
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/19733
Whiteboard: B2 [glsa? cve]
Package list:
=media-libs/libsdl-1.2.15_p20210224
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 692386, 698100    

Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-17 22:37:35 UTC
CVE-2019-7572 (https://nvd.nist.gov/vuln/detail/CVE-2019-7572):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.

CVE-2019-7573 (https://nvd.nist.gov/vuln/detail/CVE-2019-7573):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the
  wNumCoef loop).

CVE-2019-7574 (https://nvd.nist.gov/vuln/detail/CVE-2019-7574):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.

CVE-2019-7575 (https://nvd.nist.gov/vuln/detail/CVE-2019-7575):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.

CVE-2019-7576 (https://nvd.nist.gov/vuln/detail/CVE-2019-7576):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the
  wNumCoef loop).

CVE-2019-7577 (https://nvd.nist.gov/vuln/detail/CVE-2019-7577):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.

CVE-2019-7578 (https://nvd.nist.gov/vuln/detail/CVE-2019-7578):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.

CVE-2019-7635 (https://nvd.nist.gov/vuln/detail/CVE-2019-7635):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.

CVE-2019-7636 (https://nvd.nist.gov/vuln/detail/CVE-2019-7636):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.

CVE-2019-7638 (https://nvd.nist.gov/vuln/detail/CVE-2019-7638):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer over-read in Map1toN in video/SDL_pixels.c.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 00:12:19 UTC
CVE-2019-7637 (https://nvd.nist.gov/vuln/detail/CVE-2019-7637):
  SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
  heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.
Comment 3 Sam James archtester gentoo-dev Security 2020-04-17 00:17:22 UTC
(In reply to Sam James (sec padawan) from comment #2)
> Tree is clean:
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/media-libs/
> libsdl2?id=1124f943b9eea126703d0c1df75df502e104232c

Oops, no it's not.
Comment 4 John Helmert III gentoo-dev Security 2020-08-07 05:06:16 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2019-7572 (https://nvd.nist.gov/vuln/detail/CVE-2019-7572):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4495
Patches: https://hg.libsdl.org/SDL/rev/e52413f52586
https://hg.libsdl.org/SDL/rev/a8afedbcaea0

> CVE-2019-7573 (https://nvd.nist.gov/vuln/detail/CVE-2019-7573):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the
>   wNumCoef loop).

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4491
Patches: https://hg.libsdl.org/SDL/rev/388987dff7bf
https://hg.libsdl.org/SDL/rev/f9a9d6c76b21
https://hg.libsdl.org/SDL/rev/fcbecae42795

> CVE-2019-7574 (https://nvd.nist.gov/vuln/detail/CVE-2019-7574):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
Patch: https://hg.libsdl.org/SDL/rev/a6e3d2f5183e

> CVE-2019-7575 (https://nvd.nist.gov/vuln/detail/CVE-2019-7575):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
Patch: https://hg.libsdl.org/SDL/rev/a936f9bd3e38

> CVE-2019-7576 (https://nvd.nist.gov/vuln/detail/CVE-2019-7576):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside
> the
>   wNumCoef loop).

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4490
Closed as a duplicate of CVE-2019-7573.

> CVE-2019-7577 (https://nvd.nist.gov/vuln/detail/CVE-2019-7577):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
Patches: https://hg.libsdl.org/SDL/rev/faf9abbcfb5f
https://hg.libsdl.org/SDL/rev/416136310b88

> CVE-2019-7578 (https://nvd.nist.gov/vuln/detail/CVE-2019-7578):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
Patches: Same as CVE-2019-7573

> CVE-2019-7635 (https://nvd.nist.gov/vuln/detail/CVE-2019-7635):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
Patches: https://hg.libsdl.org/SDL/rev/08f3b4992538
https://hg.libsdl.org/SDL/rev/4646533663ae

> CVE-2019-7636 (https://nvd.nist.gov/vuln/detail/CVE-2019-7636):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
Patches: https://hg.libsdl.org/SDL/rev/19d8c3b9c251
https://hg.libsdl.org/SDL/rev/07c39cbbeacf

> CVE-2019-7638 (https://nvd.nist.gov/vuln/detail/CVE-2019-7638):
>   SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a
>   heap-based buffer over-read in Map1toN in video/SDL_pixels.c.

Issue: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
Patches: Same as CVE-2019-7636
Comment 5 John Helmert III gentoo-dev Security 2021-02-22 21:47:18 UTC
CVE-2019-13616:

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.

Upstream issue: https://github.com/libsdl-org/SDL-1.2/issues/790
Patch: https://github.com/libsdl-org/SDL-1.2/commit/31a87d75f15c7acd9470fab9ceb129c0a255871f
Comment 6 Larry the Git Cow gentoo-dev 2021-03-06 08:52:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a336de7c0ccd1263d27555be703dcfdfaa3d568

commit 8a336de7c0ccd1263d27555be703dcfdfaa3d568
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-03-03 17:32:46 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2021-03-06 08:52:11 +0000

    media-libs/libsdl: multiple CVEs v1.2.15_p20210224
    
    Bug: https://bugs.gentoo.org/772194
    Bug: https://bugs.gentoo.org/692388
    
    EAPI 7
    Bug: https://bugs.gentoo.org/774024
    
    Dropping older patches included in snapshot
    
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/19733
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/libsdl/Manifest                         |   1 +
 .../libsdl/files/libsdl-1.2.15-sdl-config.patch    |   4 +-
 media-libs/libsdl/libsdl-1.2.15_p20210224.ebuild   | 139 +++++++++++++++++++++
 3 files changed, 142 insertions(+), 2 deletions(-)
Comment 7 Sam James archtester gentoo-dev Security 2021-05-16 07:57:14 UTC
I guess it's ready, but let's be slow to clean up in case of regressions.
Comment 8 Sam James archtester gentoo-dev Security 2021-05-16 18:53:40 UTC
x86 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-16 18:55:16 UTC
amd64 done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-16 18:56:43 UTC
arm done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-17 01:10:21 UTC
ppc done
Comment 12 Sam James archtester gentoo-dev Security 2021-05-17 01:11:16 UTC
ppc64 done
Comment 13 Agostino Sarubbo gentoo-dev 2021-05-17 09:01:09 UTC
sparc stable
Comment 14 Sam James archtester gentoo-dev Security 2021-05-19 17:26:18 UTC
arm64 done

all arches done
Comment 15 John Helmert III gentoo-dev Security 2021-05-20 21:52:30 UTC
Please cleanup, thanks!
Comment 16 Larry the Git Cow gentoo-dev 2021-07-25 01:36:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74e12610ae4c66545f127e400e0a08bd7bc5a0d0

commit 74e12610ae4c66545f127e400e0a08bd7bc5a0d0
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2021-07-25 00:43:10 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2021-07-25 01:35:09 +0000

    media-libs/libsdl: drop vulnerable 1.2.15-r9
    
    Bug: https://bugs.gentoo.org/692388
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 media-libs/libsdl/Manifest                         |   1 -
 .../files/libsdl-1.2.15-SDL_EnableUNICODE.patch    |  47 -------
 .../libsdl/files/libsdl-1.2.15-bsd-joystick.patch  |  28 -----
 media-libs/libsdl/files/libsdl-1.2.15-caca.patch   |  26 ----
 .../libsdl/files/libsdl-1.2.15-const-xdata32.patch |  58 ---------
 .../libsdl/files/libsdl-1.2.15-joystick.patch      |  13 --
 .../libsdl/files/libsdl-1.2.15-resizing.patch      |  60 ---------
 media-libs/libsdl/libsdl-1.2.15-r9.ebuild          | 135 ---------------------
 8 files changed, 368 deletions(-)