CVE-2019-14906 - A flaw was found with the RHSA-2019:3950 erratum, where it did not fix the CVE-2019-13616 SDL vulner

CVE-2019-14906

Summary

A flaw was found with the RHSA-2019:3950 erratum, where it did not fix the CVE-2019-13616 SDL vulnerability. This issue only affects Red Hat SDL packages, SDL versions through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer overflow flaw while copying an existing surface into a new optimized one, due to a lack of validation while loading a BMP image, is possible. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or execute code.

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14906

Vulnerable Configurations

cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12-1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.12-1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13-1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.13-1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14-1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.14-1:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.15:*:*:*:*:*:*:*
cpe:2.3:a:libsdl:simple_directmedia_layer:1.2.15:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 12-02-2023 - 23:37)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

advisories

bugzilla

id	1777372
title	CVE-2019-14906 SDL: CVE-2019-13616 not fixed in Red Hat Enterprise Linux 7 erratum RHSA-2019:3950

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment SDL is earlier than 0:1.2.15-15.el7_7
oval oval:com.redhat.rhsa:tst:20194024001
comment SDL is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20193553004
AND
comment SDL-devel is earlier than 0:1.2.15-15.el7_7
oval oval:com.redhat.rhsa:tst:20194024003
comment SDL-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20193553008
AND
comment SDL-static is earlier than 0:1.2.15-15.el7_7
oval oval:com.redhat.rhsa:tst:20194024005
comment SDL-static is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20193950006

rhsa

id	RHSA-2019:4024
released	2019-12-02
severity	Important
title	RHSA-2019:4024: SDL security update (Important)

rpms

SDL-0:1.2.15-15.el7_7
SDL-debuginfo-0:1.2.15-15.el7_7
SDL-devel-0:1.2.15-15.el7_7
SDL-static-0:1.2.15-15.el7_7

refmap via4

confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14906

Last major update

12-02-2023 - 23:37

Published

07-01-2020 - 21:15

Last modified

12-02-2023 - 23:37