openEuler update for SDL
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-7572 CVE-2019-7574 CVE-2019-7575 |
| CWE-ID | CWE-125 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
openEuler Operating systems & Components / Operating system SDL-debuginfo Operating systems & Components / Operating system package or component SDL-devel Operating systems & Components / Operating system package or component SDL-help Operating systems & Components / Operating system package or component SDL-debugsource Operating systems & Components / Operating system package or component SDL Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Heap out-of-bounds read
EUVDB-ID: #VU17686
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7572
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the IMA_ADPCM_nibble function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 20.03 LTS SP2
SDL-debuginfo: before 1.2.15-39
SDL-devel: before 1.2.15-39
SDL-help: before 1.2.15-39
SDL-debugsource: before 1.2.15-39
SDL: before 1.2.15-39
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP2:*:*:*:*:*:*
- cpe:2.3:a:openeuler:sdl-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1426
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Heap out-of-bounds read
EUVDB-ID: #VU17690
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7574
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the IMA_ADPCM_decode function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 20.03 LTS SP2
SDL-debuginfo: before 1.2.15-39
SDL-devel: before 1.2.15-39
SDL-help: before 1.2.15-39
SDL-debugsource: before 1.2.15-39
SDL: before 1.2.15-39
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP2:*:*:*:*:*:*
- cpe:2.3:a:openeuler:sdl-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1426
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Heap out-of-bounds read
EUVDB-ID: #VU17692
Risk: Low
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-7575
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read condition in the MS_ADPCM_decode function. A remote attacker can trick the victim into accessing a crafted image file and perform a denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP1 - 20.03 LTS SP2
SDL-debuginfo: before 1.2.15-39
SDL-devel: before 1.2.15-39
SDL-help: before 1.2.15-39
SDL-debugsource: before 1.2.15-39
SDL: before 1.2.15-39
CPE2.3- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP1:*:*:*:*:*:*
- cpe:2.3:o:openeuler:openeuler:20.03:LTS SP2:*:*:*:*:*:*
- cpe:2.3:a:openeuler:sdl-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-help:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:a:openeuler:sdl:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1426
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
