Re: CVE-2019-12221 affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2
On Sat, May 25, 2019 at 01:59:53PM +0200, Hugo Lefeuvre wrote:
> I investigated CVE-2019-12221 and found out that the issue lies in the
> libsdl2-image/sdl-image1.2 codebase, not libsdl2/libsdl1.2.
> I have temporarily added a NOTE to the tracker because I was not sure of
> how to handle this. Should I simply replace
> [stretch] - libsdl2 <no-dsa>
> [stretch] - libsdl2-image <no-dsa>
> and same for libsdl1.2?
When the CVE first appeared it was not yet clear where exactly the
vulnerabilities lie, thus we kept the TODO as per
TODO: check details and correct vulnerability location
Now that you apparently found the root cause and followed up upstream
in the bugzilla, right thing would be to replace the source package
tracking entries to the correct source.
So basically replace tracking of slibsdl2 and libsdl1.2 with
libsdl2-image and sdl-image1.2 instead.