ArchLinux: 201910-8 High: SDL Arbitrary Code Execution Advisory

Arch Linux Security Advisory ASA-201910-8
========================================
Severity: High
Date    : 2019-10-11
CVE-ID  : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575
          CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635
          CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 CVE-2019-13616
Package : sdl
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-890

Summary
======
The package sdl before version 1.2.15-13 is vulnerable to arbitrary
code execution.

Resolution
=========
Upgrade to 1.2.15-13.

# pacman -Syu "sdl>=1.2.15-13"

The problems have been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
- CVE-2019-7572 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.

- CVE-2019-7573 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(inside the wNumCoef loop).

- CVE-2019-7574 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c.

- CVE-2019-7575 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c.

- CVE-2019-7576 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(outside the wNumCoef loop).

- CVE-2019-7577 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c.

- CVE-2019-7578 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c.

- CVE-2019-7635 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c.

- CVE-2019-7636 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c.

- CVE-2019-7637 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c.

- CVE-2019-7638 (arbitrary code execution)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has
a heap-based buffer over-read in Map1toN in video/SDL_pixels.c.

- CVE-2019-13616 (arbitrary code execution)

A heap-based buffer overflow was discovered in SDL in the
SDL_BlitCopy() function, that was called while copying an existing
surface into a new optimized one, due to lack of validation while
loading a BMP image in the SDL_LoadBMP_RW() function. An application
that uses SDL to parse untrusted input files may be vulnerable to this
flaw, which could allow an attacker to make the application crash or
possibly execute code.

Impact
=====
An attacker can execute arbitrary code on the affected host via a
crafted audio, image or video file.

References
=========
https://github.com/libsdl-org/SDL/issues/3159
https://discourse.libsdl.org/t/vulnerabilities-found-in-libsdl-1-2-15-and-sdl2/25720
https://github.com/libsdl-org/SDL-1.2/commit/1ead4913fc2314a0ce5de06f29a20a8b0b0a5557
https://github.com/libsdl-org/SDL-1.2/commit/f22cbe4a3a2cd87392eec69bdcf2b4bd68b4507b
https://github.com/libsdl-org/SDL/issues/3155
https://github.com/libsdl-org/SDL-1.2/commit/c4a9f0080f928f40e826c49b2e8c057ec7843c2f
https://github.com/libsdl-org/SDL/commit/3f19a6d5e85c71df0fb2b4626b943457d38c2031
https://github.com/libsdl-org/SDL-1.2/issues/785
https://github.com/libsdl-org/SDL-1.2/commit/76871a1c52dc74b8ba2357b9d68c34d765ea9db3
https://github.com/libsdl-org/SDL/issues/3157
https://github.com/libsdl-org/SDL-1.2/commit/c68e0003d2f2b4e50bb1c4412af40c32f0b6396e
https://github.com/libsdl-org/SDL-1.2/issues/835
https://github.com/libsdl-org/SDL/issues/3156
https://github.com/libsdl-org/SDL-1.2/commit/82e503c2e026a8eee64e199c2648c296d924a5ab
https://github.com/libsdl-org/SDL/issues/3158
https://github.com/libsdl-org/SDL/issues/3160
https://github.com/libsdl-org/SDL/commit/8bc59f87ecb8d7cd1e47b8a6c2c30d9c58ecf7a7
https://github.com/libsdl-org/SDL-1.2/commit/32c57bf53b18dafb7298d6e9113632728e8fe1ba
https://github.com/libsdl-org/SDL/issues/3161
https://github.com/libsdl-org/SDL-1.2/commit/3c6f20586bb4ba074c73bb3e06d7123e57d4a226
https://github.com/libsdl-org/SDL/commit/ea4c4cfc28e19ec1fc7ae69a70f70943f7933b38
https://github.com/libsdl-org/SDL-1.2/issues/786
https://github.com/libsdl-org/SDL-1.2/commit/40d97bfe0e3dae1d6e5a91a46af1f15e8f967bc8
https://github.com/libsdl-org/SDL-1.2/issues/787
https://github.com/libsdl-org/SDL-1.2/issues/790
https://github.com/libsdl-org/SDL-1.2/commit/31a87d75f15c7acd9470fab9ceb129c0a255871f
https://security.archlinux.org/CVE-2019-7572
https://security.archlinux.org/CVE-2019-7573
https://security.archlinux.org/CVE-2019-7574
https://security.archlinux.org/CVE-2019-7575
https://security.archlinux.org/CVE-2019-7576
https://security.archlinux.org/CVE-2019-7577
https://security.archlinux.org/CVE-2019-7578
https://security.archlinux.org/CVE-2019-7635
https://security.archlinux.org/CVE-2019-7636
https://security.archlinux.org/CVE-2019-7637
https://security.archlinux.org/CVE-2019-7638
https://security.archlinux.org/CVE-2019-13616a