Amazon Linux 2 : SDL (ALAS-2019-1375)

critical Nessus Plugin ID 132263

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

A heap-based buffer overflow flaw, in SDL while copying an existing surface into a new optimized one, due to a lack of validation while loading a BMP image, is possible. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or execute code.(CVE-2019-14906)

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.(CVE-2019-13616)

A heap-based buffer overflow was discovered in SDL in the SDL_BlitCopy() function, that was called while copying an existing surface into a new optimized one, due to lack of validation while loading a BMP image in the SDL_LoadBMP_RW() function. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or possibly execute code.(CVE-2019-13616)

Solution

Run 'yum update SDL' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2019-1375.html

Plugin Details

Severity: Critical

ID: 132263

File Name: al2_ALAS-2019-1375.nasl

Version: 1.3

Type: local

Agent: unix

Published: 12/19/2019

Updated: 1/28/2020

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-14906

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:sdl, p-cpe:/a:amazon:linux:sdl-debuginfo, p-cpe:/a:amazon:linux:sdl-devel, p-cpe:/a:amazon:linux:sdl-static, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/18/2019

Vulnerability Publication Date: 7/16/2019

Reference Information

CVE: CVE-2019-13616, CVE-2019-14906

ALAS: 2019-1375