CVE-2019-12221 affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2

To: team@security.debian.org
Cc: debian-lts@lists.debian.org
Subject: CVE-2019-12221 affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2
From: Hugo Lefeuvre <hle@debian.org>
Date: Sat, 25 May 2019 13:59:53 +0200
Message-id: <[🔎] 20190525115953.GE2314@behemoth.owl.eu.com.local>

Hi,

I investigated CVE-2019-12221[0] and found out that the issue lies in the
libsdl2-image/sdl-image1.2 codebase, not libsdl2/libsdl1.2.

I have temporarily added a NOTE to the tracker because I was not sure of
how to handle this[1]. Should I simply replace

[stretch] - libsdl2 <no-dsa>

by

[stretch] - libsdl2-image <no-dsa>

and same for libsdl1.2?

thanks,
Hugo

[0] https://bugzilla.libsdl.org/show_bug.cgi?id=4628
[1] https://salsa.debian.org/security-tracker-team/security-tracker/commit/39f9e891a4b37

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: CVE-2019-12221 affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: testing bind9 for Jessie LTS
Next by Date: Re: CVE-2019-12221 affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2
Previous by thread: Re: testing bind9 for Jessie LTS
Next by thread: Re: CVE-2019-12221 affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2
Index(es):
- Date
- Thread