Subject: [ASA-201908-5] sdl2: arbitrary code execution Arch Linux Security Advisory ASA-201908-5 ========================================= Severity: High Date : 2019-08-05 CVE-ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638 Package : sdl2 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-891 Summary ======= The package sdl2 before version 2.0.10-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 2.0.10-1. # pacman -Syu "sdl2>=2.0.10-1" The problems have been fixed upstream in version 2.0.10. Workaround ========== None. Description =========== - CVE-2019-7572 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c. - CVE-2019-7573 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (inside the wNumCoef loop). - CVE-2019-7574 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c. - CVE-2019-7575 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c. - CVE-2019-7576 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (outside the wNumCoef loop). - CVE-2019-7577 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c. - CVE-2019-7578 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c. - CVE-2019-7635 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. - CVE-2019-7636 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c. - CVE-2019-7638 (arbitrary code execution) SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in Map1toN in video/SDL_pixels.c. Impact ====== An attacker can execute arbitrary code on the affected host via a crafted audio or video file. References ========== https://bugzilla.libsdl.org/show_bug.cgi?id=4495 https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720 https://hg.libsdl.org/SDL/rev/e52413f52586 https://hg.libsdl.org/SDL/rev/a8afedbcaea0 https://bugzilla.libsdl.org/show_bug.cgi?id=4491 https://hg.libsdl.org/SDL/rev/388987dff7bf https://hg.libsdl.org/SDL/rev/f9a9d6c76b21 https://bugzilla.libsdl.org/show_bug.cgi?id=4496 https://hg.libsdl.org/SDL/rev/a6e3d2f5183e https://bugzilla.libsdl.org/show_bug.cgi?id=4493 https://hg.libsdl.org/SDL/rev/a936f9bd3e38 https://bugzilla.libsdl.org/show_bug.cgi?id=4490 https://bugzilla.libsdl.org/show_bug.cgi?id=4492 https://hg.libsdl.org/SDL/rev/faf9abbcfb5f https://hg.libsdl.org/SDL/rev/416136310b88 https://bugzilla.libsdl.org/show_bug.cgi?id=4494 https://bugzilla.libsdl.org/show_bug.cgi?id=4498 https://hg.libsdl.org/SDL/rev/7c643f1c1887 https://hg.libsdl.org/SDL/rev/f1f5878be5db https://bugzilla.libsdl.org/show_bug.cgi?id=4499 https://hg.libsdl.org/SDL/rev/19d8c3b9c251 https://hg.libsdl.org/SDL/rev/07c39cbbeacf https://bugzilla.libsdl.org/show_bug.cgi?id=4500 https://security.archlinux.org/CVE-2019-7572 https://security.archlinux.org/CVE-2019-7573 https://security.archlinux.org/CVE-2019-7574 https://security.archlinux.org/CVE-2019-7575 https://security.archlinux.org/CVE-2019-7576 https://security.archlinux.org/CVE-2019-7577 https://security.archlinux.org/CVE-2019-7578 https://security.archlinux.org/CVE-2019-7635 https://security.archlinux.org/CVE-2019-7636 https://security.archlinux.org/CVE-2019-7638