Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libsdl1.2: Multiple security issues

Related Vulnerabilities: CVE-2019-7638   CVE-2019-7637   CVE-2019-7636   CVE-2019-7635   CVE-2019-7578   CVE-2019-7577   CVE-2019-7576   CVE-2019-7575   CVE-2019-7574   CVE-2019-7573   CVE-2019-7572  

Source

Debian Bug report logs - #924609
libsdl1.2: Multiple security issues

version graph

Package: src:libsdl1.2; Maintainer for src:libsdl1.2 is Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Thu, 14 Mar 2019 21:36:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions libsdl1.2/1.2.15+dfsg1-4, libsdl1.2/1.2.15+dfsg2-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#924609; Package src:libsdl1.2. (Thu, 14 Mar 2019 21:36:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. (Thu, 14 Mar 2019 21:36:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libsdl1.2: Multiple security issues
Date: Thu, 14 Mar 2019 22:32:28 +0100
Source: libsdl1.2
Severity: grave
Tags: security

Hi,
a number of security issues were found in SDL, please see the following
links for references.

https://security-tracker.debian.org/tracker/CVE-2019-7638
https://security-tracker.debian.org/tracker/CVE-2019-7637
https://security-tracker.debian.org/tracker/CVE-2019-7636
https://security-tracker.debian.org/tracker/CVE-2019-7635
https://security-tracker.debian.org/tracker/CVE-2019-7578
https://security-tracker.debian.org/tracker/CVE-2019-7577
https://security-tracker.debian.org/tracker/CVE-2019-7576
https://security-tracker.debian.org/tracker/CVE-2019-7575
https://security-tracker.debian.org/tracker/CVE-2019-7574
https://security-tracker.debian.org/tracker/CVE-2019-7573
https://security-tracker.debian.org/tracker/CVE-2019-7572

Some bugs have links to upstream fixes, I think we can go ahead and
merge those. The others have proposed patches, but let's not rush
any upload and wait until these are properly reviewed/merged by
upstream.

Cheers,
        Moritz

Marked as found in versions libsdl1.2/1.2.15+dfsg2-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Mar 2019 22:33:03 GMT) (full text, mbox, link).

Marked as found in versions libsdl1.2/1.2.15+dfsg1-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Mar 2019 22:33:03 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Mar 2019 22:33:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#924609; Package src:libsdl1.2. (Wed, 24 Apr 2019 16:24:02 GMT) (full text, mbox, link).

Acknowledgement sent to Kari Pahula <kaol@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. (Wed, 24 Apr 2019 16:24:02 GMT) (full text, mbox, link).

Message #16 received at 924609@bugs.debian.org (full text, mbox, reply):

From: Kari Pahula <kaol@debian.org>
To: 924609@bugs.debian.org
Subject: Ports of CVE patches from Debian LTS for libsdl1.2
Date: Wed, 24 Apr 2019 19:15:44 +0300
[Message part 1 (text/plain, inline)]
Hi.

I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.

[libsdl1.2-0001-Port-patches-from-Debian-LTS-release-for-CVE-bugs.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Kari Pahula <kaol@debian.org> to control@bugs.debian.org. (Wed, 24 Apr 2019 16:27:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#924609; Package src:libsdl1.2. (Wed, 24 Apr 2019 19:36:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. (Wed, 24 Apr 2019 19:36:02 GMT) (full text, mbox, link).

Message #23 received at 924609@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Kari Pahula <kaol@debian.org>
Cc: 924609@bugs.debian.org, 924610@bugs.debian.org, jmm@debian.org, team@security.debian.org
Subject: Re: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2
Date: Wed, 24 Apr 2019 21:33:55 +0200
Hi Kari,

On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:
> Hi.
> 
> I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.

First thanks for working on the issues!

I have not reviewed your patches, but just a remark. Never just
forward-port a patchset from an older suite to newer (although the
version is identical here).

Furthermore as Moritz pointed out, at time of writing the bugreport,
only some of the bugs got patches, but not all were merged upstream,
several of the CVEs got later on upstream patches rather then
previously linked ones from the bugzilla.  We should base the upload
based on the current upstream patches which by now should be complete
(but double check the updated references in the security-tracker).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#924609; Package src:libsdl1.2. (Mon, 29 Apr 2019 15:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Felix Geyer <fgeyer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. (Mon, 29 Apr 2019 15:27:03 GMT) (full text, mbox, link).

Message #28 received at 924609@bugs.debian.org (full text, mbox, reply):

From: Felix Geyer <fgeyer@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 924610@bugs.debian.org, Kari Pahula <kaol@debian.org>
Cc: jmm@debian.org, team@security.debian.org, 924609@bugs.debian.org
Subject: Re: Bug#924610: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2
Date: Mon, 29 Apr 2019 16:56:27 +0200
Hi,

On 24.04.19 21:33, Salvatore Bonaccorso wrote:
> Hi Kari,
>
> On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:
>> Hi.
>>
>> I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
> First thanks for working on the issues!
>
> I have not reviewed your patches, but just a remark. Never just
> forward-port a patchset from an older suite to newer (although the
> version is identical here).
>
> Furthermore as Moritz pointed out, at time of writing the bugreport,
> only some of the bugs got patches, but not all were merged upstream,
> several of the CVEs got later on upstream patches rather then
> previously linked ones from the bugzilla.  We should base the upload
> based on the current upstream patches which by now should be complete
> (but double check the updated references in the security-tracker).


Unfortunately there are still some bug reports without merged fixes.
I've kept the Debian security tracker up-to-date in this regard
(the CVEs with committed patches have a link to them).

Felix

Information forwarded to debian-bugs-dist@lists.debian.org, Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>:
Bug#924609; Package src:libsdl1.2. (Mon, 29 Apr 2019 20:33:02 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>. (Mon, 29 Apr 2019 20:33:03 GMT) (full text, mbox, link).

Message #33 received at 924609@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Felix Geyer <fgeyer@debian.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 924610@bugs.debian.org, Kari Pahula <kaol@debian.org>, team@security.debian.org, 924609@bugs.debian.org
Subject: Re: Bug#924610: Bug#924609: Ports of CVE patches from Debian LTS for libsdl1.2
Date: Mon, 29 Apr 2019 22:30:21 +0200
On Mon, Apr 29, 2019 at 04:56:27PM +0200, Felix Geyer wrote:
> Hi,
> 
> On 24.04.19 21:33, Salvatore Bonaccorso wrote:
> > Hi Kari,
> > 
> > On Wed, Apr 24, 2019 at 07:15:44PM +0300, Kari Pahula wrote:
> > > Hi.
> > > 
> > > I've ported the CVE patches from Debian LTS for libsdl1.2 in unstable.
> > First thanks for working on the issues!
> > 
> > I have not reviewed your patches, but just a remark. Never just
> > forward-port a patchset from an older suite to newer (although the
> > version is identical here).
> > 
> > Furthermore as Moritz pointed out, at time of writing the bugreport,
> > only some of the bugs got patches, but not all were merged upstream,
> > several of the CVEs got later on upstream patches rather then
> > previously linked ones from the bugzilla.  We should base the upload
> > based on the current upstream patches which by now should be complete
> > (but double check the updated references in the security-tracker).
> 
> 
> Unfortunately there are still some bug reports without merged fixes.
> I've kept the Debian security tracker up-to-date in this regard
> (the CVEs with committed patches have a link to them).

For sdl-image1.2 we can already go ahead with an unstable upload, right?
The only issue affecting it, was merged.

Cheers,
        Moritz

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:07:03 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started