861809 – (CVE-2022-34568) <media-libs/libsdl-1.2.15_p20221103: use after free via SDL_x11yuv

Bug 861809 (CVE-2022-34568) - <media-libs/libsdl-1.2.15_p20221103: use after free via SDL_x11yuv

Summary: <media-libs/libsdl-1.2.15_p20221103: use after free via SDL_x11yuv

Status:	IN_PROGRESS

Alias:	CVE-2022-34568

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/libsdl-org/SDL-1.2...
Whiteboard:	B2 [glsa cleanup]
Keywords:

Depends on:	886195
Blocks:
	Show dependency tree

Reported:	2022-07-29 05:37 UTC by John Helmert III
Modified:	2023-01-25 21:12 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-33657
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-07-29 05:37:40 UTC

CVE-2022-34568:

SDL v1.2 was discovered to contain a use-after-free via the XFree function at /src/video/x11/SDL_x11yuv.c.

Is sdl2 affected?

Comment 1 genBTC 2022-08-17 22:57:33 UTC

They have a supposed fix for this in version 1.2.
Patch: https://github.com/libsdl-org/SDL-1.2/commit/d7e00208738a0bc6af302723fe64908ac35b777b.patch

Upstream: https://github.com/libsdl-org/SDL-1.2/issues/863
Debian: https://security-tracker.debian.org/tracker/CVE-2022-34568

After reviewing the code, This does not affect SDL2.
The code involving "XFree" is nothing alike, and the file src/video/x11/SDL_x11yuv.c is not even in existence.
https://github.com/libsdl-org/SDL/tree/main/src/video/x11

As for SDL 1.2 - We should be able to apply that simple one line patch from #863 to our media-libs/libsdl-1.2.15-20210224 release, or release a new ~2022 version to account for a year and a half now of upstream changes, including this CVE fix but that may be more work.

Comment 2 Sam James archtester

2022-11-18 05:51:29 UTC

(In reply to genBTC from comment #1)
> They have a supposed fix for this in version 1.2.
> Patch:
> https://github.com/libsdl-org/SDL-1.2/commit/
> d7e00208738a0bc6af302723fe64908ac35b777b.patch
> 
> Upstream: https://github.com/libsdl-org/SDL-1.2/issues/863
> Debian: https://security-tracker.debian.org/tracker/CVE-2022-34568
> 
> After reviewing the code, This does not affect SDL2.
> The code involving "XFree" is nothing alike, and the file
> src/video/x11/SDL_x11yuv.c is not even in existence.
> https://github.com/libsdl-org/SDL/tree/main/src/video/x11
> 
> As for SDL 1.2 - We should be able to apply that simple one line patch from
> #863 to our media-libs/libsdl-1.2.15-20210224 release, or release a new
> ~2022 version to account for a year and a half now of upstream changes,
> including this CVE fix but that may be more work.

Thanks!

Comment 3 Larry the Git Cow gentoo-dev

2022-11-18 05:52:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=422f2c3137696cea2c977b3c95eaf3d1855da30b

commit 422f2c3137696cea2c977b3c95eaf3d1855da30b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-11-18 05:51:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-11-18 05:51:41 +0000

    media-libs/libsdl: add 1.2.15_p20221103
    
    Bug: https://bugs.gentoo.org/861809
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libsdl/Manifest                       |   1 +
 media-libs/libsdl/libsdl-1.2.15_p20221103.ebuild | 166 +++++++++++++++++++++++
 2 files changed, 167 insertions(+)

Comment 4 John Helmert III archtester

2023-01-25 21:12:39 UTC

GLSA request filed