Summary: | <media-libs/sdl-mixer-1.2.12_p20221010: Off-by-one buffer overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | games |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/libsdl-org/SDL_mixer/issues/299 | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 883985 | ||
Bug Blocks: |
Description
Sam James
2021-02-17 21:27:25 UTC
Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. Package list is empty or all packages have requested keywords. @games can the version be bumped to latest (2.6.0) or are there specific dependencies that require version 1.2? In that case the patch should probably be pulled from upstream to fix the security issue. (In reply to 9ts641j2 from comment #7) > @games can the version be bumped to latest (2.6.0) or are there specific > dependencies that require version 1.2? In that case the patch should > probably be pulled from upstream to fix the security issue. No, I don't think sdl-mixer can be updated to 2.6.0. We keep sdl-1 around for compatibility with older things (plus 2 is already packaged as sdl2-mixer). While sdl12-compat exists as a SDL1 compatibility layer around SDL2, there is unfortunately no equivalent for SDL_mixer. Having said that, I believe the API is practically identical, and I did once have games-strategy/s25rttr running with SDL1 for the video and SDL2_mixer for the audio. I'm not aware of any issues with doing this, but it would probably be less controversial if you did it while using sdl12-compat. I have an ebuild ready to go, I just need to deal with a couple of corner case packages first. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=209e9244c663238ed56d0ca58c5b2a19e06bf6c8 commit 209e9244c663238ed56d0ca58c5b2a19e06bf6c8 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-11-11 03:48:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-11 03:48:58 +0000 media-libs/sdl-mixer: add 1.2.12_p20221010 Upstream aren't making releases anymore (since a long time ago!) for the 1.2.x branch but are kindly doing backports, so let's make a snapshot. Fixes a substantial number of warnings, build system quirks, and even a security bug. What a bargain! Bug: https://bugs.gentoo.org/771168 Closes: https://bugs.gentoo.org/729740 Closes: https://bugs.gentoo.org/880619 Signed-off-by: Sam James <sam@gentoo.org> media-libs/sdl-mixer/Manifest | 1 + .../sdl-mixer/sdl-mixer-1.2.12_p20221010.ebuild | 116 +++++++++++++++++++++ 2 files changed, 117 insertions(+) commit 6fcf95a555e9350936385713443c8abb778033d5 Author: Sam James <sam@gentoo.org> Date: Fri Dec 16 04:44:34 2022 +0000 media-libs/sdl-mixer: drop 1.2.12-r5, 1.2.12-r7 Signed-off-by: Sam James <sam@gentoo.org> |