CVE-2019-13616

Name	CVE-2019-13616
Description	SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2536-1, DLA-2804-1, DLA-3314-1, ELA-353-1, ELA-520-1
Debian Bugs	940934

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libsdl1.2 (PTS)	jessie, jessie (lts)	1.2.15-10+deb8u3	fixed
	stretch (security), stretch (lts), stretch	1.2.15+dfsg1-4+deb9u1	fixed
	buster	1.2.15+dfsg2-6~deb10u1	fixed
	bullseye	1.2.15+dfsg2-6	fixed
	bookworm	1.2.15+dfsg2-8	fixed
libsdl2 (PTS)	jessie, jessie (lts)	2.0.2+dfsg1-6+deb8u3	fixed
	stretch (security), stretch (lts), stretch	2.0.5+dfsg1-2+deb9u2	fixed
	buster	2.0.9+dfsg1-1	vulnerable
	buster (security)	2.0.9+dfsg1-1+deb10u1	fixed
	bullseye	2.0.14+dfsg2-3+deb11u1	fixed
	bookworm	2.26.5+dfsg-1	fixed
	trixie	2.30.0+dfsg-1	fixed
	sid	2.30.2+dfsg-1	fixed
libsdl2-image (PTS)	jessie, jessie (lts)	2.0.0+dfsg-3+deb8u2	vulnerable
	stretch	2.0.1+dfsg-2+deb9u2	vulnerable
	stretch (security), stretch (lts)	2.0.1+dfsg-2+deb9u1	vulnerable
	buster	2.0.4+dfsg1-1+deb10u1	vulnerable
	bullseye	2.0.5+dfsg1-2	fixed
	bookworm	2.6.3+dfsg-1	fixed
	sid, trixie	2.8.2+dfsg-1	fixed
sdl-image1.2 (PTS)	jessie, jessie (lts)	1.2.12-5+deb8u2	vulnerable
	stretch	1.2.12-5+deb9u2	vulnerable
	stretch (security), stretch (lts)	1.2.12-5+deb9u1	vulnerable
	buster	1.2.12-10+deb10u1	vulnerable
	bullseye	1.2.12-12	fixed
	sid, trixie, bookworm	1.2.12-13	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libsdl1.2	source	jessie	1.2.15-10+deb8u3		ELA-520-1
libsdl1.2	source	stretch	1.2.15+dfsg1-4+deb9u1		DLA-2804-1
libsdl1.2	source	buster	1.2.15+dfsg2-4+deb10u1
libsdl1.2	source	(unstable)	1.2.15+dfsg2-5
libsdl2	source	jessie	2.0.2+dfsg1-6+deb8u3		ELA-353-1
libsdl2	source	stretch	2.0.5+dfsg1-2+deb9u1		DLA-2536-1
libsdl2	source	buster	2.0.9+dfsg1-1+deb10u1		DLA-3314-1
libsdl2	source	(unstable)	2.0.10+dfsg1-1
libsdl2-image	source	(unstable)	2.0.5+dfsg1-2			940934
sdl-image1.2	source	wheezy	(unfixed)	end-of-life
sdl-image1.2	source	(unstable)	1.2.12-12

Notes

[jessie] - libsdl2 <postponed> (can be fixed along with more important patches)
[jessie] - libsdl1.2 <postponed> (can be fixed along with more important patches)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[stretch] - libsdl2-image <no-dsa> (Minor issue)
[jessie] - libsdl2-image <postponed> (can be fixed along with more important patches)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 <postponed> (can be fixed along with more important patches)
https://bugzilla.libsdl.org/show_bug.cgi?id=4538
libsdl2: https://hg.libsdl.org/SDL/rev/e7ba650a643a
libsdl1.2: https://hg.libsdl.org/SDL/rev/ad1bbfbca760
libsdl2-image: https://hg.libsdl.org/SDL_image/rev/ba45f00879ba
sdl-image1.2: https://hg.libsdl.org/SDL_image/rev/a59bfe382008
[wheezy] - libsdl1.2 <postponed> (can be fixed along with more important patches)
wheezy version built with ASAN (in a jessie environment) exhibits the exact same failure as the upstream bug