Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690064 (CVE-2019-13626) - <media-libs/libsdl2-2.0.10: integer overflow in audio/SDL_wave.c
Summary: <media-libs/libsdl2-2.0.10: integer overflow in audio/SDL_wave.c
Status: CONFIRMED
Alias: CVE-2019-13626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.libsdl.org/show_bug....
Whiteboard: B3 [stable glsa+ cve]
Keywords: STABLEREQ
Depends on:
Blocks: 692392
  Show dependency tree
 
Reported: 2019-07-17 16:22 UTC by D'juan McDonald (domhnall)
Modified: 2019-09-13 15:50 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libsdl2-2.0.10
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-07-17 16:22:08 UTC
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13626):

SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.



Gentoo Security Padawan
(domhnall)
Comment 1 James Le Cuirot gentoo-dev 2019-07-17 20:16:45 UTC
The CVE links to https://bugzilla.libsdl.org/show_bug.cgi?id=4522 but the main issue is at https://bugzilla.libsdl.org/show_bug.cgi?id=3894. The patches are quite heavy and there's talk of a 2.0.10 release so I'll sit tight for the moment.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2019-07-26 15:05:58 UTC
commit 1ab804d7dfd299720ab731ce28d75c0e647b34b0
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Jul 26 13:34:10 2019

    media-libs/libsdl2: Bump to version 2.0.10

    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-06 23:25:40 UTC
@arches, please stabilize.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-07 01:52:06 UTC
arm64 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2019-09-08 01:14:28 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-09-08 10:42:28 UTC
amd64 stable
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-09-08 17:47:13 UTC
This issue was resolved and addressed in
 GLSA 201909-07 at https://security.gentoo.org/glsa/201909-07
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Thomas Deutschmann gentoo-dev Security 2019-09-08 17:48:31 UTC
Re-opening for remaining architectures.
Comment 9 Sergei Trofimovich gentoo-dev 2019-09-08 18:42:09 UTC
ia64/ppc/ppc64 stable
Comment 10 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-13 15:50:30 UTC
arm stable