Your message dated Mon, 11 Jul 2022 10:04:11 +0000
with message-id <[email protected]>
and subject line Bug#1014577: fixed in libsdl1.2 1.2.15+dfsg2-7
has caused the Debian Bug report #1014577,
regarding libsdl1.2: CVE-2021-33657
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1014577: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014577
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsdl1.2
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for libsdl1.2.
CVE-2021-33657[0]:
| There is a heap overflow problem in video/SDL_pixels.c in SDL (Simple
| DirectMedia Layer) 2.x to 2.0.18 versions. By crafting a malicious
| .BMP file, an attacker can cause the application using this library to
| crash, denial of service or Code execution.
This fixed in SDL2 in
https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9
(release-2.0.20)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-33657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33657
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libsdl1.2
Source-Version: 1.2.15+dfsg2-7
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libsdl1.2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated libsdl1.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 11 Jul 2022 10:09:56 +0100
Source: libsdl1.2
Architecture: source
Version: 1.2.15+dfsg2-7
Distribution: unstable
Urgency: medium
Maintainer: Debian SDL packages maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 981204 1014577
Changes:
libsdl1.2 (1.2.15+dfsg2-7) unstable; urgency=medium
.
* Team upload
.
[ Simon McVittie ]
* Add a .symbols file.
This will be useful when comparing the ABI of this legacy library
with the ABI of its SDL2-based replacement, sdl12-compat.
* Generate dependencies without error-prone hard-coding.
We have had SDL 1.2.15 since at least Debian 9, so there is no benefit
in generating dependencies older than that. Not hard-coding SHLIBVER
avoids mistakes if a new symbol is added.
* Finish migration from -dbg to -dbgsym packages.
We no longer need this migration path, since the required version is
in stable (and oldstable and oldoldstable) and we don't support
skipping a release during upgrades.
* Add a Lintian override for libSDLmain.a being intentionally empty
* Add patch to make pkg-config check cross-compilation-friendly
* Add patch to ensure 8-bit paletted images don't overflow the palette
(Closes: #1014577, CVE-2021-33657)
* Normalize order of lists of installed files (wrap-and-sort -abst)
* Normalize dependency and maintainer lists (wrap-and-sort -ast)
* d/control: Normalize order of binary packages (wrap-and-sort -abst)
* Build-depend on libgl-dev instead of transitional libgl1-mesa-dev
* Use recommended debhelper compat level 13
- No need for explicit dh_makeshlibs -V, it is now the default
* d/rules: Explicitly delete unwanted .la files instead of ignoring them
.
[ Helmut Grohne ]
* Drop unused Build-Depends: libxt-dev and libxv-dev (Closes: #981204)
Checksums-Sha1:
0aa07ad4cc71bf9dd530e08e7407cbd0b9bcd710 2387 libsdl1.2_1.2.15+dfsg2-7.dsc
d94a72b541e7ae89ff44e8c1cbbe2afddd59d8e8 53336
libsdl1.2_1.2.15+dfsg2-7.debian.tar.xz
e94b9c7a2fa351ac96c4974fcb44ca90847b0af7 8662
libsdl1.2_1.2.15+dfsg2-7_source.buildinfo
Checksums-Sha256:
4b4c31e1b8827fe31880b3c2ccbbf49075bc92ced76daac6d8b97cba39731ddb 2387
libsdl1.2_1.2.15+dfsg2-7.dsc
8a573865f3ac68a5c935b7750f7c935812170adde91c60999413e00ab3d757b7 53336
libsdl1.2_1.2.15+dfsg2-7.debian.tar.xz
f444ed2d4f7a23bb966c62dcca816cc4de24d527593f0de23d4151db3b8bf225 8662
libsdl1.2_1.2.15+dfsg2-7_source.buildinfo
Files:
8563c085a6d6faa2f5bc9af59dc3a8d0 2387 libs optional
libsdl1.2_1.2.15+dfsg2-7.dsc
28593686692adaa36d6d95456312a003 53336 libs optional
libsdl1.2_1.2.15+dfsg2-7.debian.tar.xz
73e09143dce24fb026d59c60dabaebf3 8662 libs optional
libsdl1.2_1.2.15+dfsg2-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmLL8aUACgkQ4FrhR4+B
TE/CWA/8DdIno9QqnlwkalS70uQp7AaCvweTbqFH8/OYnBN2k9i19wMd6mk+8Z4x
ggFvCu7AFwwcTR3vbcsHsKslSybsClRPf8iwFLeUL5MKnNyCwyn9mrU054FkTlJl
pg7oQuKSLS+POTJv5aVTdgcndImOcjSqjvmUDl8YTdQFRW7lzvNxAoByhw/ZbZvq
iwxyqN1tuD1wJwS3iNJ7AOJzeLdZWvmhGDdKJr895iRP2Wvn4/P8H55sYA/Sofmp
yagYfP21416cSLU8QUkCo+QTJ4ZxPzg4BT00Ibmc+wT6TdoXL8Sb2zp8d8pPz5xS
/rZKSqypLvxhEIt730gzZ8tnNTUVwIY1FuTbaNfAGNiKtQmLbdQZ3kKJ1KYl9q+6
wXF8k56WnFXR5yi7KoE/q/KbQjaJDJpZxI8NsgSloxZj9X2psUz+YcF9dS7MDtP1
sj5iOB7pXTt68DnApU8Or9bXG7Ku4mxKV8Q0U8id41zxU0fLzVrPcf0rs5/c0BjV
VtgP5q6sp0vNtvHaz8r7vSXJixJW1BPU6FzUb2tfYU2VwQQgba34F6wMZNafEiNn
gvkNl8VWY3GlsOZWEGoj2Q/IuGTYZe7f32vh6rD3+ydzQYkk0db63/z/+PUK/EZU
DSO75aGXpkFor7+wornAEcPNITrFrIoU6QqZT9Gxf2fnTe7hEjE=
=z0yg
-----END PGP SIGNATURE-----
--- End Message ---
