Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 861809 (CVE-2022-34568) - <media-libs/libsdl-1.2.15_p20221103: use after free via SDL_x11yuv
Summary: <media-libs/libsdl-1.2.15_p20221103: use after free via SDL_x11yuv
Status: IN_PROGRESS
Alias: CVE-2022-34568
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/libsdl-org/SDL-1.2...
Whiteboard: B2 [glsa cleanup]
Keywords:
Depends on: 886195
Blocks:
  Show dependency tree
 
Reported: 2022-07-29 05:37 UTC by John Helmert III
Modified: 2023-01-25 21:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-29 05:37:40 UTC
CVE-2022-34568:

SDL v1.2 was discovered to contain a use-after-free via the XFree function at /src/video/x11/SDL_x11yuv.c.

Is sdl2 affected?
Comment 1 genBTC 2022-08-17 22:57:33 UTC
They have a supposed fix for this in version 1.2.
Patch: https://github.com/libsdl-org/SDL-1.2/commit/d7e00208738a0bc6af302723fe64908ac35b777b.patch

Upstream: https://github.com/libsdl-org/SDL-1.2/issues/863
Debian: https://security-tracker.debian.org/tracker/CVE-2022-34568

After reviewing the code, This does not affect SDL2.
The code involving "XFree" is nothing alike, and the file src/video/x11/SDL_x11yuv.c is not even in existence.
https://github.com/libsdl-org/SDL/tree/main/src/video/x11

As for SDL 1.2 - We should be able to apply that simple one line patch from #863 to our media-libs/libsdl-1.2.15-20210224 release, or release a new ~2022 version to account for a year and a half now of upstream changes, including this CVE fix but that may be more work.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-11-18 05:51:29 UTC
(In reply to genBTC from comment #1)
> They have a supposed fix for this in version 1.2.
> Patch:
> https://github.com/libsdl-org/SDL-1.2/commit/
> d7e00208738a0bc6af302723fe64908ac35b777b.patch
> 
> Upstream: https://github.com/libsdl-org/SDL-1.2/issues/863
> Debian: https://security-tracker.debian.org/tracker/CVE-2022-34568
> 
> After reviewing the code, This does not affect SDL2.
> The code involving "XFree" is nothing alike, and the file
> src/video/x11/SDL_x11yuv.c is not even in existence.
> https://github.com/libsdl-org/SDL/tree/main/src/video/x11
> 
> As for SDL 1.2 - We should be able to apply that simple one line patch from
> #863 to our media-libs/libsdl-1.2.15-20210224 release, or release a new
> ~2022 version to account for a year and a half now of upstream changes,
> including this CVE fix but that may be more work.

Thanks!
Comment 3 Larry the Git Cow gentoo-dev 2022-11-18 05:52:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=422f2c3137696cea2c977b3c95eaf3d1855da30b

commit 422f2c3137696cea2c977b3c95eaf3d1855da30b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-18 05:51:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-18 05:51:41 +0000

    media-libs/libsdl: add 1.2.15_p20221103
    
    Bug: https://bugs.gentoo.org/861809
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libsdl/Manifest                       |   1 +
 media-libs/libsdl/libsdl-1.2.15_p20221103.ebuild | 166 +++++++++++++++++++++++
 2 files changed, 167 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-25 21:12:39 UTC
GLSA request filed