openSUSE Security Update: Security update for SDL2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:1261-1 Rating: moderate References: #1124799 #1124800 #1124802 #1124803 #1124805 #1124806 #1124824 #1124825 #1124826 #1124827 #1125099 Cross-References: CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 Affected Products: openSUSE Leap 15.0 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for SDL2 fixes the following issues: Security issues fixed: - CVE-2019-7572: Fixed a buffer over-read in IMA_ADPCM_nibble in audio/SDL_wave.c.(bsc#1124806). - CVE-2019-7578: Fixed a heap-based buffer over-read in InitIMA_ADPCM in audio/SDL_wave.c (bsc#1125099). - CVE-2019-7576: Fixed heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124799). - CVE-2019-7573: Fixed a heap-based buffer over-read in InitMS_ADPCM in audio/SDL_wave.c (bsc#1124805). - CVE-2019-7635: Fixed a heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c. (bsc#1124827). - CVE-2019-7636: Fixed a heap-based buffer over-read in SDL_GetRGB in video/SDL_pixels.c (bsc#1124826). - CVE-2019-7638: Fixed a heap-based buffer over-read in Map1toN in video/SDL_pixels.c (bsc#1124824). - CVE-2019-7574: Fixed a heap-based buffer over-read in IMA_ADPCM_decode in audio/SDL_wave.c (bsc#1124803). - CVE-2019-7575: Fixed a heap-based buffer overflow in MS_ADPCM_decode in audio/SDL_wave.c (bsc#1124802). - CVE-2019-7637: Fixed a heap-based buffer overflow in SDL_FillRect function in SDL_surface.c (bsc#1124825). - CVE-2019-7577: Fixed a buffer over read in SDL_LoadWAV_RW in audio/SDL_wave.c (bsc#1124800). This update was imported from the SUSE:SLE-15:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-1261=1 Package List: - openSUSE Leap 15.0 (i586 x86_64): SDL2-debugsource-2.0.8-lp150.2.3.1 libSDL2-2_0-0-2.0.8-lp150.2.3.1 libSDL2-2_0-0-debuginfo-2.0.8-lp150.2.3.1 libSDL2-devel-2.0.8-lp150.2.3.1 - openSUSE Leap 15.0 (x86_64): libSDL2-2_0-0-32bit-2.0.8-lp150.2.3.1 libSDL2-2_0-0-32bit-debuginfo-2.0.8-lp150.2.3.1 libSDL2-devel-32bit-2.0.8-lp150.2.3.1 References: https://www.suse.com/security/cve/CVE-2019-7572.html https://www.suse.com/security/cve/CVE-2019-7573.html https://www.suse.com/security/cve/CVE-2019-7574.html https://www.suse.com/security/cve/CVE-2019-7575.html https://www.suse.com/security/cve/CVE-2019-7576.html https://www.suse.com/security/cve/CVE-2019-7577.html https://www.suse.com/security/cve/CVE-2019-7578.html https://www.suse.com/security/cve/CVE-2019-7635.html https://www.suse.com/security/cve/CVE-2019-7636.html https://www.suse.com/security/cve/CVE-2019-7637.html https://www.suse.com/security/cve/CVE-2019-7638.html https://bugzilla.suse.com/1124799 https://bugzilla.suse.com/1124800 https://bugzilla.suse.com/1124802 https://bugzilla.suse.com/1124803 https://bugzilla.suse.com/1124805 https://bugzilla.suse.com/1124806 https://bugzilla.suse.com/1124824 https://bugzilla.suse.com/1124825 https://bugzilla.suse.com/1124826 https://bugzilla.suse.com/1124827 https://bugzilla.suse.com/1125099 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org