ID CVE-2019-14906
Summary A flaw was found with the RHSA-2019:3950 erratum, where it did not fix the CVE-2019-13616 SDL vulnerability. This issue only affects Red Hat SDL packages, SDL versions through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow flaw while copying an existing surface into a new optimized one, due to a lack of validation while loading a BMP image, is possible. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or execute code.
References
Vulnerable Configurations
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12-1:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12-1:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13-1:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13-1:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14-1:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14-1:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 05-04-2021 - 12:29)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1777372
title CVE-2019-14906 SDL: CVE-2019-13616 not fixed in Red Hat Enterprise Linux 7 erratum RHSA-2019:3950
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 7 is installed
      oval oval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • comment SDL is earlier than 0:1.2.15-15.el7_7
          oval oval:com.redhat.rhsa:tst:20194024001
        • comment SDL is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20193553004
      • AND
        • comment SDL-devel is earlier than 0:1.2.15-15.el7_7
          oval oval:com.redhat.rhsa:tst:20194024003
        • comment SDL-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20193553008
      • AND
        • comment SDL-static is earlier than 0:1.2.15-15.el7_7
          oval oval:com.redhat.rhsa:tst:20194024005
        • comment SDL-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20193950006
rhsa
id RHSA-2019:4024
released 2019-12-02
severity Important
title RHSA-2019:4024: SDL security update (Important)
rpms
  • SDL-0:1.2.15-15.el7_7
  • SDL-debuginfo-0:1.2.15-15.el7_7
  • SDL-devel-0:1.2.15-15.el7_7
  • SDL-static-0:1.2.15-15.el7_7
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14906
Last major update 05-04-2021 - 12:29
Published 07-01-2020 - 21:15
Last modified 05-04-2021 - 12:29
Back to Top