[Git][security-tracker-team/security-tracker][master] CVE-2019-136{26,36}/libsdl{1.2,2}: jessie triage

[Hugo Lefeuvre]

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
070fcfb1 by Hugo Lefeuvre at 2019-08-18T11:45:23Z
CVE-2019-136{26,36}/libsdl{1.2,2}: jessie triage

CVE-2019-13626: patch too large, too many non-security relevant changes,
issue can be ignored.

CVE-2019-13616: patch straightforward, this is worth fixing along with more
important changes.

dla-needed: minor NOTES updates.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4405,9 +4405,11 @@ CVE-2019-13626 (SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-base
 	- libsdl2 <unfixed>
 	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
+	[jessie] - libsdl2 <no-dsa> (Minor issue)
 	- libsdl1.2 <unfixed>
 	[buster] - libsdl1.2 <no-dsa> (Minor issue)
 	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
+	[jessie] - libsdl1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4522
 CVE-2019-13625 (NSA Ghidra before 9.0.1 allows XXE when a project is opened or restore ...)
 	- ghidra <itp> (bug #923851)
@@ -4442,9 +4444,11 @@ CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.
 	- libsdl2 <unfixed>
 	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
+	[jessie] - libsdl2 <postponed> (can be fixed along with more important patches)
 	- libsdl1.2 <unfixed>
 	[buster] - libsdl1.2 <no-dsa> (Minor issue)
 	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
+	[jessie] - libsdl1.2 <postponed> (can be fixed along with more important patches)
 	- libsdl2-image <unfixed>
 	[buster] - libsdl2-image <no-dsa> (Minor issue)
 	[stretch] - libsdl2-image <no-dsa> (Minor issue)


=====================================
data/dla-needed.txt
=====================================
@@ -18,13 +18,15 @@ clamav (Hugo Lefeuvre)
   NOTE: wait for definitive patch to be available, then upgrade to latest upstream
   NOTE: release (follow stretch changes) (hle)
   NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html
+  NOTE: 20190818: upstream has released a new patch, waiting for the final
+  NOTE: release to come out (hle)
 --
 cups (Thorsten Alteholz)
 --
 dnsmasq (Mike Gabriel)
 --
 faad2 (Hugo Lefeuvre)
-  NOTE: 20190810: I have done a second review of my patches and ping Fabian to get them
+  NOTE: 20190818: I have done a second review of my patches and ping Fabian to get them
   NOTE: merged at some point. see https://github.com/knik0/faad2/pull/36
   NOTE: working on more patches (hle)
 --
@@ -39,7 +41,7 @@ golang-go.crypto
   NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby)
 --
 hdf5 (Hugo Lefeuvre)
-  NOTE: 20190810: Upstream is aware of currently open issues. Progress is slow,
+  NOTE: 20190818: Upstream is aware of currently open issues. Progress is slow,
   NOTE: wait for the next HDF5 point release and either do full package upgrade
   NOTE: or cherry pick fixes (hle)
 --
@@ -73,14 +75,6 @@ libqb
 libreoffice
   NOTE: probably Jessie is affected as well
 --
-libsdl1.2 (Hugo Lefeuvre)
-  NOTE: see libsdl2 entry.
---
-libsdl2 (Hugo Lefeuvre)
-  NOTE: 20190809: probable fix for CVE-2019-13626: https://hg.libsdl.org/SDL/rev/b06fa7da012b
-  NOTE: waiting for somebody to confirm. if this is right I'd just mark this issue no-dsa,
-  NOTE: the issue is quite minor and the patch extremely big and full of unrelated changes.
---
 linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/070fcfb1c8e33650a35c945b31a0be49a5a6e41d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/070fcfb1c8e33650a35c945b31a0be49a5a6e41d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190818/cd8be5fc/attachment-0001.html>