SB2019102109 - Out-of-bounds read in cabextract (Alpine package)

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds read (CVE-ID: CVE-2019-13616)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in the "BlitNtoN" function in the "video/SDL_blit_N.c" file when called from the "SDL_SoftBlit" function in the "video/SDL_blit.c" file. A remote attacker can trick a victim to open a specially crafted file and perform a denial of service attack.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=41ab224df12b8487004a1522b4f671680c082954
• https://git.alpinelinux.org/aports/commit/?id=7524badc16a4157691398a942c5a94069febe580
• https://git.alpinelinux.org/aports/commit/?id=7b041c70260536c9ab6240b59ed2a4cf7aa4d26c
• https://git.alpinelinux.org/aports/commit/?id=8500a332914114e126e7340c92dcf1361f59e2df
• https://git.alpinelinux.org/aports/commit/?id=c22e88769db71ba0fed2cd3d6c33f3eab2c2e0de
• https://git.alpinelinux.org/aports/commit/?id=08adcfc479eef62bec301b3f917ee3e50960721d
• https://git.alpinelinux.org/aports/commit/?id=23f3bf9a8153dece9918c9b8d4bbcce11a53b594
• https://git.alpinelinux.org/aports/commit/?id=258d45e74735a475fb9e2df05c79b9f8304d1b9f
• https://git.alpinelinux.org/aports/commit/?id=41c5bc74b5ac24cb063d2188b02ef2c9af61c2b0
• https://git.alpinelinux.org/aports/commit/?id=a50982cecf73dfa8a835012915ba76eab2dba9e2
• https://git.alpinelinux.org/aports/commit/?id=e5f827ce9138a26780217975e2b90fda2ee3043d
• https://git.alpinelinux.org/aports/commit/?id=e744b4cb5b3ab1bdb7a54cbe834a92b5c12e6778
• https://git.alpinelinux.org/aports/commit/?id=1fe32d61beb6c5514a0fb76fc98cf6feab7aae65