CVE-2022-34568: SDL v1.2 was discovered to contain a use-after-free via the XFree function at /src/video/x11/SDL_x11yuv.c. Is sdl2 affected?
They have a supposed fix for this in version 1.2. Patch: https://github.com/libsdl-org/SDL-1.2/commit/d7e00208738a0bc6af302723fe64908ac35b777b.patch Upstream: https://github.com/libsdl-org/SDL-1.2/issues/863 Debian: https://security-tracker.debian.org/tracker/CVE-2022-34568 After reviewing the code, This does not affect SDL2. The code involving "XFree" is nothing alike, and the file src/video/x11/SDL_x11yuv.c is not even in existence. https://github.com/libsdl-org/SDL/tree/main/src/video/x11 As for SDL 1.2 - We should be able to apply that simple one line patch from #863 to our media-libs/libsdl-1.2.15-20210224 release, or release a new ~2022 version to account for a year and a half now of upstream changes, including this CVE fix but that may be more work.
(In reply to genBTC from comment #1) > They have a supposed fix for this in version 1.2. > Patch: > https://github.com/libsdl-org/SDL-1.2/commit/ > d7e00208738a0bc6af302723fe64908ac35b777b.patch > > Upstream: https://github.com/libsdl-org/SDL-1.2/issues/863 > Debian: https://security-tracker.debian.org/tracker/CVE-2022-34568 > > After reviewing the code, This does not affect SDL2. > The code involving "XFree" is nothing alike, and the file > src/video/x11/SDL_x11yuv.c is not even in existence. > https://github.com/libsdl-org/SDL/tree/main/src/video/x11 > > As for SDL 1.2 - We should be able to apply that simple one line patch from > #863 to our media-libs/libsdl-1.2.15-20210224 release, or release a new > ~2022 version to account for a year and a half now of upstream changes, > including this CVE fix but that may be more work. Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=422f2c3137696cea2c977b3c95eaf3d1855da30b commit 422f2c3137696cea2c977b3c95eaf3d1855da30b Author: Sam James <sam@gentoo.org> AuthorDate: 2022-11-18 05:51:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-18 05:51:41 +0000 media-libs/libsdl: add 1.2.15_p20221103 Bug: https://bugs.gentoo.org/861809 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libsdl/Manifest | 1 + media-libs/libsdl/libsdl-1.2.15_p20221103.ebuild | 166 +++++++++++++++++++++++ 2 files changed, 167 insertions(+)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=dc3bc707b0c4671c9ae4a89a5b6777e764f0c3ad commit dc3bc707b0c4671c9ae4a89a5b6777e764f0c3ad Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-03 10:04:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 10:05:29 +0000 [ GLSA 202305-17 ] libsdl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/692388 Bug: https://bugs.gentoo.org/836665 Bug: https://bugs.gentoo.org/861809 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202305-17.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3b8e0793d95de99d8a67a96c3d6c7480fc72ad1 commit b3b8e0793d95de99d8a67a96c3d6c7480fc72ad1 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-05-03 10:12:15 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-05-03 10:12:15 +0000 media-libs/libsdl: drop 1.2.15_p20210224, 1.2.15_p20221103 Bug: https://bugs.gentoo.org/861809 Signed-off-by: Sam James <sam@gentoo.org> media-libs/libsdl/Manifest | 2 - .../libsdl/files/libsdl-1.2.15-slibtool.patch | 56 ---- .../files/libsdl-1.2.15-strict-prototypes.patch | 316 --------------------- media-libs/libsdl/libsdl-1.2.15_p20210224.ebuild | 166 ----------- media-libs/libsdl/libsdl-1.2.15_p20221103.ebuild | 166 ----------- 5 files changed, 706 deletions(-)
