-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: SDL security update
Advisory ID:       RHSA-2020:4627-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4627
Issue date:        2020-11-03
CVE Names:         CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 
                   CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 
                   CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 
                   CVE-2019-7637 CVE-2019-7638 
====================================================================
1. Summary:

An update for SDL is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Simple DirectMedia Layer (SDL) is a cross-platform multimedia library
designed to provide fast access to the graphics frame buffer and audio
device.

Security Fix(es):

* SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c
(CVE-2019-7572)

* SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c
(CVE-2019-7575)

* SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c
(CVE-2019-7636)

* SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c
(CVE-2019-7637)

* SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c
(CVE-2019-7638)

* SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(CVE-2019-7573)

* SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c
(CVE-2019-7574)

* SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
(CVE-2019-7576)

* SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c
(CVE-2019-7577)

* SDL: heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c
(CVE-2019-7578)

* SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c
(CVE-2019-7635)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1676509 - CVE-2019-7577 SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c
1676743 - CVE-2019-7575 SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c
1676749 - CVE-2019-7574 SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c
1676751 - CVE-2019-7573 SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
1676753 - CVE-2019-7572 SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c
1676755 - CVE-2019-7576 SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c
1676781 - CVE-2019-7578 SDL: heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c
1677143 - CVE-2019-7638 SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c
1677151 - CVE-2019-7637 SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c
1677156 - CVE-2019-7636 SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c
1677158 - CVE-2019-7635 SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
SDL-1.2.15-38.el8.src.rpm

aarch64:
SDL-1.2.15-38.el8.aarch64.rpm
SDL-debuginfo-1.2.15-38.el8.aarch64.rpm
SDL-debugsource-1.2.15-38.el8.aarch64.rpm
SDL-devel-1.2.15-38.el8.aarch64.rpm

ppc64le:
SDL-1.2.15-38.el8.ppc64le.rpm
SDL-debuginfo-1.2.15-38.el8.ppc64le.rpm
SDL-debugsource-1.2.15-38.el8.ppc64le.rpm
SDL-devel-1.2.15-38.el8.ppc64le.rpm

s390x:
SDL-1.2.15-38.el8.s390x.rpm
SDL-debuginfo-1.2.15-38.el8.s390x.rpm
SDL-debugsource-1.2.15-38.el8.s390x.rpm
SDL-devel-1.2.15-38.el8.s390x.rpm

x86_64:
SDL-1.2.15-38.el8.i686.rpm
SDL-1.2.15-38.el8.x86_64.rpm
SDL-debuginfo-1.2.15-38.el8.i686.rpm
SDL-debuginfo-1.2.15-38.el8.x86_64.rpm
SDL-debugsource-1.2.15-38.el8.i686.rpm
SDL-debugsource-1.2.15-38.el8.x86_64.rpm
SDL-devel-1.2.15-38.el8.i686.rpm
SDL-devel-1.2.15-38.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-7572
https://access.redhat.com/security/cve/CVE-2019-7573
https://access.redhat.com/security/cve/CVE-2019-7574
https://access.redhat.com/security/cve/CVE-2019-7575
https://access.redhat.com/security/cve/CVE-2019-7576
https://access.redhat.com/security/cve/CVE-2019-7577
https://access.redhat.com/security/cve/CVE-2019-7578
https://access.redhat.com/security/cve/CVE-2019-7635
https://access.redhat.com/security/cve/CVE-2019-7636
https://access.redhat.com/security/cve/CVE-2019-7637
https://access.redhat.com/security/cve/CVE-2019-7638
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX6I2G9zjgjWX9erEAQjnCBAAnAeTnQGAIRZiwyhzOUN5vvtVQdIYif42
Ek4NaB4T8Yoq72s1Iae++8RGeI891Lp0GWLhcVpZT/1gwBRacrapPoQ2OG+29baJ
rxO5a00gYtPn7SVqNOpoViecP1BGq8M6M6Yn8btn7oXlfDDBwXhgz4L8fsGBoFdq
iiSafojwXT1jFECuMpNxB9/0DwaEkzjuVoGO40FsGSgklUB8NXTLWg0T+YP4gQQl
WgmCJ4Bu16pEm9e59DPUsGSvgj6ymMp1KGKy2XObaymIMcas9NtgkXsI6FZBc4aM
EKcDi+/Y8SIfdB0b4r/Ey9Y8mLLA5rvv2JrsNvg0JIn1Ym/Ah8CDUcnDZL2drkGy
S1nVQLgtQWL7o5JpubdiXoqKXH2xWKOfpIpjMvVxxPDwo5qztenVa5/Vb4eFsxWn
5f4/tfGVeCgW3w7dFRLqTFkIlHoRP7++lWarLbzgJrwYnQhAJuaMmMtQ2DkaKOxt
cw/izAzqNCJfiQxLkYMx0/oz9WbrCoYa1bgVAR/npWEoFt3K3THdlUz33e5UiV/O
YpZ3kjSiQJKl7dA2euUn0r3rfr6G8sj7RhLpkHfommBjbj3UBXQ78+7hvOfncOGz
BcremoCLJZl/9vHtBpd2ailN1YVbKnFJ8UfdbZdjzv+64dyJdONUb2SgJJhj/edW
V9y2K3/vRUo=vXxa
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-4627:01 Moderate: SDL security update

An update for SDL is now available for Red Hat Enterprise Linux 8

Summary

Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device.
Security Fix(es):
* SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c (CVE-2019-7572)
* SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (CVE-2019-7575)
* SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (CVE-2019-7636)
* SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c (CVE-2019-7637)
* SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c (CVE-2019-7638)
* SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (CVE-2019-7573)
* SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (CVE-2019-7574)
* SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (CVE-2019-7576)
* SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c (CVE-2019-7577)
* SDL: heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (CVE-2019-7578)
* SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c (CVE-2019-7635)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2019-7572 https://access.redhat.com/security/cve/CVE-2019-7573 https://access.redhat.com/security/cve/CVE-2019-7574 https://access.redhat.com/security/cve/CVE-2019-7575 https://access.redhat.com/security/cve/CVE-2019-7576 https://access.redhat.com/security/cve/CVE-2019-7577 https://access.redhat.com/security/cve/CVE-2019-7578 https://access.redhat.com/security/cve/CVE-2019-7635 https://access.redhat.com/security/cve/CVE-2019-7636 https://access.redhat.com/security/cve/CVE-2019-7637 https://access.redhat.com/security/cve/CVE-2019-7638 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: SDL-1.2.15-38.el8.src.rpm
aarch64: SDL-1.2.15-38.el8.aarch64.rpm SDL-debuginfo-1.2.15-38.el8.aarch64.rpm SDL-debugsource-1.2.15-38.el8.aarch64.rpm SDL-devel-1.2.15-38.el8.aarch64.rpm
ppc64le: SDL-1.2.15-38.el8.ppc64le.rpm SDL-debuginfo-1.2.15-38.el8.ppc64le.rpm SDL-debugsource-1.2.15-38.el8.ppc64le.rpm SDL-devel-1.2.15-38.el8.ppc64le.rpm
s390x: SDL-1.2.15-38.el8.s390x.rpm SDL-debuginfo-1.2.15-38.el8.s390x.rpm SDL-debugsource-1.2.15-38.el8.s390x.rpm SDL-devel-1.2.15-38.el8.s390x.rpm
x86_64: SDL-1.2.15-38.el8.i686.rpm SDL-1.2.15-38.el8.x86_64.rpm SDL-debuginfo-1.2.15-38.el8.i686.rpm SDL-debuginfo-1.2.15-38.el8.x86_64.rpm SDL-debugsource-1.2.15-38.el8.i686.rpm SDL-debugsource-1.2.15-38.el8.x86_64.rpm SDL-devel-1.2.15-38.el8.i686.rpm SDL-devel-1.2.15-38.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:4627-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4627
Issued Date: : 2020-11-03
CVE Names: CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638

Topic

An update for SDL is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64


Bugs Fixed

1676509 - CVE-2019-7577 SDL: buffer over-read in SDL_LoadWAV_RW in audio/SDL_wave.c

1676743 - CVE-2019-7575 SDL: heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c

1676749 - CVE-2019-7574 SDL: heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c

1676751 - CVE-2019-7573 SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c

1676753 - CVE-2019-7572 SDL: buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c

1676755 - CVE-2019-7576 SDL: heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c

1676781 - CVE-2019-7578 SDL: heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c

1677143 - CVE-2019-7638 SDL: heap-based buffer over-read in Map1toN in video/SDL_pixels.c

1677151 - CVE-2019-7637 SDL: heap-based buffer overflow in SDL_FillRect in video/SDL_surface.c

1677156 - CVE-2019-7636 SDL: heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c

1677158 - CVE-2019-7635 SDL: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved