[Git][security-tracker-team/security-tracker][master] Reserve DLA-3314-1 for libsdl2

Markus Koschany (@apo) apo at debian.org
Wed Feb 8 23:45:10 GMT 2023 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
85d09bd6 by Markus Koschany at 2023-02-09T00:44:58+01:00
Reserve DLA-3314-1 for libsdl2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -10121,7 +10121,6 @@ CVE-2022-4744
 CVE-2022-4743 (A potential memory leak issue was discovered in SDL2 in GLES_CreateTex ...)
 	- libsdl2 2.26.0+dfsg-1
 	[bullseye] - libsdl2 <no-dsa> (Minor issue)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2156290
 	NOTE: https://github.com/libsdl-org/SDL/pull/6269
 	NOTE: Fixed by: https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b (prerelease-2.25.1)
@@ -125975,7 +125974,6 @@ CVE-2021-33657 (There is a heap overflow problem in video/SDL_pixels.c in SDL (S
 	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 2.0.20+dfsg-2
 	[bullseye] - libsdl2 2.0.14+dfsg2-3+deb11u1
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9 (release-2.0.20)
 CVE-2021-33656 (When setting font with malicous data by ioctl cmd PIO_FONT,kernel will ...)
@@ -204144,13 +204142,11 @@ CVE-2020-14410 (SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based b
 	{DLA-2536-1}
 	- libsdl1.2 <not-affected> (Only affects SDL2)
 	- libsdl2 2.0.14+dfsg2-2
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200
 	NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
 CVE-2020-14409 (SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow  ...)
 	{DLA-2536-1}
 	- libsdl2 2.0.14+dfsg2-2
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200
 	NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
 	NOTE: Specific to SDL2, these checks were addresses in SDL 1.2 with CVE-2019-7637
@@ -260560,7 +260556,6 @@ CVE-2019-13627 (It was discovered that there was a ECDSA timing attack in the li
 	NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60 (1.8.5)
 CVE-2019-13626 (SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buff ...)
 	- libsdl2 2.0.10+dfsg1-1
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	[jessie] - libsdl2 <no-dsa> (Minor issue)
 	- libsdl1.2 <not-affected> (Vulnerable code added later)
@@ -260601,7 +260596,6 @@ CVE-2019-13617 (njs through 0.3.3, used in NGINX, has a heap-based buffer over-r
 CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
 	{DLA-2804-1 DLA-2536-1}
 	- libsdl2 2.0.10+dfsg1-1
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[jessie] - libsdl2 <postponed> (can be fixed along with more important patches)
 	- libsdl1.2 1.2.15+dfsg2-5
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
@@ -279137,7 +279131,6 @@ CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
 	NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2)
 	NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf
@@ -279158,7 +279151,6 @@ CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
 	NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2)
 	NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf (SDL-2)
@@ -279167,7 +279159,6 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	- sdl-image1.2 1.2.12-11 (bug #932755)
 	[buster] - sdl-image1.2 1.2.12-10+deb10u1
 	[stretch] - sdl-image1.2 1.2.12-5+deb9u2
@@ -279309,7 +279300,6 @@ CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
 	NOTE: https://hg.libsdl.org/SDL/rev/388987dff7bf (SDL-1.2)
 	NOTE: https://hg.libsdl.org/SDL/rev/f9a9d6c76b21 (SDL-2)
@@ -279318,7 +279308,6 @@ CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
 	NOTE: https://hg.libsdl.org/SDL/rev/faf9abbcfb5f (SDL-1.2)
 	NOTE: https://hg.libsdl.org/SDL/rev/416136310b88 (SDL-1.2)
@@ -279329,7 +279318,6 @@ CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4490
 	NOTE: Proposed patch: https://bugzilla.libsdl.org/attachment.cgi?id=3620&action=diff
@@ -279339,7 +279327,6 @@ CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
 	NOTE: https://hg.libsdl.org/SDL/rev/a936f9bd3e38 (SDL-1.2)
 	NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available:
@@ -279349,7 +279336,6 @@ CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
 	NOTE: https://hg.libsdl.org/SDL/rev/a6e3d2f5183e (SDL-1.2)
@@ -279360,7 +279346,6 @@ CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4491
 	NOTE: same patch as CVE-2019-7576
@@ -279372,7 +279357,6 @@ CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
 	- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
 	[buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
 	- libsdl2 2.0.10+dfsg1-1 (bug #924610)
-	[buster] - libsdl2 <no-dsa> (Minor issue)
 	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4495
 	NOTE: https://hg.libsdl.org/SDL/rev/e52413f52586 (SDL-1.2)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[09 Feb 2023] DLA-3314-1 libsdl2 - security update
+	{CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638 CVE-2019-13616 CVE-2019-13626 CVE-2020-14409 CVE-2020-14410 CVE-2021-33657 CVE-2022-4743}
+	[buster] - libsdl2 2.0.9+dfsg1-1+deb10u1
 [08 Feb 2023] DLA-3313-1 wireshark - security update
 	{CVE-2022-4345 CVE-2023-0411 CVE-2023-0412 CVE-2023-0413 CVE-2023-0415 CVE-2023-0417}
 	[buster] - wireshark 2.6.20-0+deb10u5


=====================================
data/dla-needed.txt
=====================================
@@ -127,11 +127,6 @@ libreoffice
   NOTE: 20221012: Programming language: C++.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git
 --
-libsdl2 (Markus Koschany)
-  NOTE: 20221111: Programming language: C.
-  NOTE: 20221111: Sync with jessie/stretch/bullseye (Beuc/front-desk)
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libsdl2.git
---
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85d09bd6561a661e3fe017511079e24ff668839f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85d09bd6561a661e3fe017511079e24ff668839f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230208/40f7b0ef/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list