Operating System:

[Ubuntu]

Published:

01 October 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3669
                    USN-4143-1: SDL 2.0 vulnerabilities
                              1 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SDL 2.0
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-7638 CVE-2019-7637 CVE-2019-7636
                   CVE-2019-7635 CVE-2017-2888 

Reference:         ESB-2019.2818
                   ESB-2019.2738
                   ESB-2019.2258

Original Bulletin: 
   https://usn.ubuntu.com/4143-1/

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-4143-1: SDL 2.0 vulnerabilities
30 September 2019

SDL 2.0 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 19.04
  o Ubuntu 18.04 LTS
  o Ubuntu 16.04 LTS

Summary

SDL 2.0 could be made to crash or run programs as your login if it opened a
specially crafted file.

Software Description

  o libsdl2 - Simple DirectMedia Layer: cross-platform development library
    providing access to low level media interfaces

Details

It was discovered that SDL 2.0 mishandled crafted image files resulting in an
integer overflow. If a user were tricked into opening a malicious file, SDL 2.0
could be caused to crash or potentially run arbitrary code. (CVE-2017-2888)

It was discovered that SDL 2.0 mishandled crafted image files. If a user were
tricked into opening a malicious file, SDL 2.0 could be caused to crash or
potentially run arbitrary code. (CVE-2019-7635, CVE-2019-7636, CVE-2019-7637,
CVE-2019-7638)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 19.04
    libsdl2-2.0-0 - 2.0.9+dfsg1-1ubuntu1.19.04.1
Ubuntu 18.04 LTS
    libsdl2-2.0-0 - 2.0.8+dfsg1-1ubuntu1.18.04.4
Ubuntu 16.04 LTS
    libsdl2-2.0-0 - 2.0.4+dfsg1-2ubuntu2.16.04.2

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .

In general, a standard system update will make all the necessary changes.

References

  o CVE-2017-2888
  o CVE-2019-7635
  o CVE-2019-7636
  o CVE-2019-7637
  o CVE-2019-7638

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXZKSmGaOgq3Tt24GAQi04RAAxEm0rCYjtc8TBIQq85O8Deg8gm6XjGNb
aM/715TsRky+26tNZFCL/LgR/xTM74eNJX/0UXUnuZQYhL7NKl6I5AqvOHmFEo4M
xb01OZDUCJ6XgYrw3ToOPnqiQx5JdZrr7WtpLLbAaJwndf9qbJ/wnRQ8vjIjdagH
RRDy/BYvNihz2gGINmSkvahGMTta+F1DrneYlpZ5DnMzR09eOeu72gp6m4kdfkF1
XHnIPimt//LPHAlmHhNcNy9CqJ3lezJrBhYZhAqsxeD5TBLmEe2NVYd+eJ8Rm4cs
47qEXPt9IyL8ULasVKzIBrZo3YsvtWVLEhLZ+6bddXVDnHu7nWcU5W1v/4gGLwN8
V82gKf+Lybgs12HeB84XCM6DHifgKITLrrx9ciNlFIWcgEGx1KiPJTi3//2F6nYh
ZtDsSd8Y2EyRp1grllopeKf3PwVJM30IJs9CIrhixYmL9bkreYUWBHazd63sx7p3
gON0Tr2KkrkZ37deLkHwuWF2tS6Vcc+wZ3wY8ZwRitDvb7UqRPUpOc8pJ7BU51RW
vBF/PjmENBWKt2CR29ALITIccL2FVRcdwXR1CBtsAWLnzXcGOaC0ktwFiJxcpXyP
TdNRx59Y9IocWSZzC/pr0RY3equ1qbzzoHYpXZKrdukJohEkPfCxKpgX4Imp2u5/
b2lxkncg6Wk=
=m4l2
-----END PGP SIGNATURE-----