Bug 1747237 (CVE-2019-13616)
| Summary: | CVE-2019-13616 SDL: heap-based buffer overflow in SDL blit functions in video/SDL_blit*.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | dingyichen, erik-fedora, igor.raits, klember, maci, ppisar, rschiron, rtillery, tcallawa, wtaymans |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A heap-based buffer overflow was discovered in SDL in the SDL_BlitCopy() function, that was called while copying an existing surface into a new optimized one, due to lack of validation while loading a BMP image in the SDL_LoadBMP_RW() function. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or possibly execute code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-25 19:04:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1747238, 1754006, 1754007, 1754008, 1754009, 1756276, 1756277, 1756278, 1756279, 1756280, 1756281, 1759029, 1773498 | ||
| Bug Blocks: | 1747239 | ||
|
Description
Pedro Sampaio
2019-08-30 00:38:38 UTC
Created SDL tracking bugs for this issue: Affects: fedora-all [bug 1747238] Please note that the affected code also exists in SDL_image-1.2.12 package as linked in the upstream bug report. Upstream patches: https://hg.libsdl.org/SDL/rev/e7ba650a643a [SDL2] https://hg.libsdl.org/SDL/rev/ad1bbfbca760 [SDL-1.2] https://hg.libsdl.org/SDL_image/rev/a59bfe382008 [SDL_Image] Created SDL2 tracking bugs for this issue: Affects: epel-7 [bug 1754006] Affects: fedora-all [bug 1754008] Created mingw-SDL2 tracking bugs for this issue: Affects: epel-7 [bug 1754007] Affects: fedora-all [bug 1754009] Function SDL_LoadBMP_RW() in SDL_bmp.c does not properly validate images, thus it is possible for the width of the BMP to be negative and cause a heap-based buffer overflow in function SDL_BlitCopy() in SDL_blit.c, called e.g. during function SDL_ConvertSurface(). Function SDL_BlitCopy() copies bytes from a src buffer to a destination one and it uses the width of the image to compute the number of bytes to copy. The same issue is present in other functions like BlitNtoN() and similar. An attacker who can provide a malicious image to an application that uses SDL to parse BMP files could use this flaw to make the application crash or possibly execute code. Mitigation: If the application accepts untrusted BMP files there is no known mitigation apart from applying the patch. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3951 https://access.redhat.com/errata/RHSA-2019:3951 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3950 https://access.redhat.com/errata/RHSA-2019:3950 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13616 This CVE was not fixed via RHSA-2019:3950 https://access.redhat.com/errata/RHSA-2019:3950 in Red Hat Enterprise Linux 7 as claimed. A new CVE, CVE-2019-14906, has been assigned to address this issue. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0293 https://access.redhat.com/errata/RHSA-2020:0293 |