Ubuntu update for SDL
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2019-13616 CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7637 CVE-2019-7638 |
| CWE-ID | CWE-125 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #8 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. Public exploit code for vulnerability #11 is available. Public exploit code for vulnerability #12 is available. |
| Vulnerable software Subscribe |
libsdl1.2 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU19259
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-13616
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the "BlitNtoN" function in the "video/SDL_blit_N.c" file when called from the "SDL_SoftBlit" function in the "video/SDL_blit.c" file. A remote attacker can trick a victim to open a specially crafted file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Heap out-of-bounds read
EUVDB-ID: #VU17686
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7572
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the IMA_ADPCM_nibble function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Heap out-of-bounds read
EUVDB-ID: #VU17685
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7573
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the InitMS_ADPCM function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Heap out-of-bounds read
EUVDB-ID: #VU17690
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7574
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the IMA_ADPCM_decode function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Heap out-of-bounds read
EUVDB-ID: #VU17692
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7575
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the MS_ADPCM_decode function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Heap out-of-bounds read
EUVDB-ID: #VU17691
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7576
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the InitMS_ADPCM function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Heap out-of-bounds read
EUVDB-ID: #VU17687
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7577
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the SDL_LoadWAV_RW function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Heap out-of-bounds read
EUVDB-ID: #VU17693
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7578
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the in the InitlMA_ADPCM function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
9) Heap out-of-bounds read
EUVDB-ID: #VU17684
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7635
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the Blit1to4 function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Heap out-of-bounds read
EUVDB-ID: #VU17683
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7636
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the SDL_GetRGB function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Heap out-of-bounds read
EUVDB-ID: #VU17689
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7637
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the SDL_FillRect function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
12) Heap out-of-bounds read
EUVDB-ID: #VU17688
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7638
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the Map1toN function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationUpdate the affected packages.
- Ubuntu 18.04 LTS
- libsdl1.2debian - 1.2.15+dfsg2-0.1ubuntu0.1
- Ubuntu 16.04 LTS
- libsdl1.2debian - 1.2.15+dfsg1-3ubuntu0.1
libsdl1.2 (Ubuntu package): 1.2.0-1 - 1.2.15-12ubuntu1
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
