Security update for SDL2_sound SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:0037-1 Final 1 1 2025-01-30T16:22:36Z current 2025-01-30T16:22:36Z 2025-01-30T16:22:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SDL2_sound This update for SDL2_sound fixes the following issues: - Update to release 2.0.4: * Update bundled stb_vorbis to address CVE-2023-45676, CVE-2023-45677, CVE-2023-45679, CVE-2023-45680, CVE-2023-45681, CVE-2023-45682. - Update to release 2.0.2 * No further changes from the last snapshot 2.0.1+g60 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2025-37 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ E-Mail link for openSUSE-SU-2025:0037-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216478 SUSE Bug 1216478 https://www.suse.com/security/cve/CVE-2023-45676/ SUSE CVE CVE-2023-45676 page https://www.suse.com/security/cve/CVE-2023-45677/ SUSE CVE CVE-2023-45677 page https://www.suse.com/security/cve/CVE-2023-45679/ SUSE CVE CVE-2023-45679 page https://www.suse.com/security/cve/CVE-2023-45680/ SUSE CVE CVE-2023-45680 page https://www.suse.com/security/cve/CVE-2023-45681/ SUSE CVE CVE-2023-45681 page https://www.suse.com/security/cve/CVE-2023-45682/ SUSE CVE CVE-2023-45682 page SUSE Package Hub 15 SP6 openSUSE Leap 15.6 SDL2_sound-devel-2.0.4-bp156.2.3.1 libSDL2_sound2-2.0.4-bp156.2.3.1 SDL2_sound-devel-2.0.4-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 libSDL2_sound2-2.0.4-bp156.2.3.1 as a component of SUSE Package Hub 15 SP6 SDL2_sound-devel-2.0.4-bp156.2.3.1 as a component of openSUSE Leap 15.6 libSDL2_sound2-2.0.4-bp156.2.3.1 as a component of openSUSE Leap 15.6 stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[i] = get8_packet(f);`. The root cause is an integer overflow in `setup_malloc`. A sufficiently large value in the variable `sz` overflows with `sz+7` in and the negative value passes the maximum available memory buffer check. This issue may lead to code execution. CVE-2023-45676 SUSE Package Hub 15 SP6:SDL2_sound-devel-2.0.4-bp156.2.3.1 SUSE Package Hub 15 SP6:libSDL2_sound2-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:SDL2_sound-devel-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:libSDL2_sound2-2.0.4-bp156.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ https://www.suse.com/security/cve/CVE-2023-45676.html CVE-2023-45676 https://bugzilla.suse.com/1216478 SUSE Bug 1216478 stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds write in `f->vendor[len] = (char)'\0';`. The root cause is that if `len` read in `start_decoder` is a negative number and `setup_malloc` successfully allocates memory in that case, but memory write is done with a negative index `len`. Similarly if len is INT_MAX the integer overflow len+1 happens in `f->vendor = (char*)setup_malloc(f, sizeof(char) * (len+1));` and `f->comment_list[i] = (char*)setup_malloc(f, sizeof(char) * (len+1));`. This issue may lead to code execution. CVE-2023-45677 SUSE Package Hub 15 SP6:SDL2_sound-devel-2.0.4-bp156.2.3.1 SUSE Package Hub 15 SP6:libSDL2_sound2-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:SDL2_sound-devel-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:libSDL2_sound2-2.0.4-bp156.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ https://www.suse.com/security/cve/CVE-2023-45677.html CVE-2023-45677 https://bugzilla.suse.com/1216478 SUSE Bug 1216478 stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, but some of the pointers in `f->comment_list` are left initialized and later `setup_free` is called on these pointers in `vorbis_deinit`. This issue may lead to code execution. CVE-2023-45679 SUSE Package Hub 15 SP6:SDL2_sound-devel-2.0.4-bp156.2.3.1 SUSE Package Hub 15 SP6:libSDL2_sound2-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:SDL2_sound-devel-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:libSDL2_sound2-2.0.4-bp156.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ https://www.suse.com/security/cve/CVE-2023-45679.html CVE-2023-45679 https://bugzilla.suse.com/1216478 SUSE Bug 1216478 stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in `start_decoder`. In that case the function returns early, the `f->comment_list` is set to `NULL`, but `f->comment_list_length` is not reset. Later in `vorbis_deinit` it tries to dereference the `NULL` pointer. This issue may lead to denial of service. CVE-2023-45680 SUSE Package Hub 15 SP6:SDL2_sound-devel-2.0.4-bp156.2.3.1 SUSE Package Hub 15 SP6:libSDL2_sound2-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:SDL2_sound-devel-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:libSDL2_sound2-2.0.4-bp156.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ https://www.suse.com/security/cve/CVE-2023-45680.html CVE-2023-45680 https://bugzilla.suse.com/1216478 SUSE Bug 1216478 stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory write past an allocated heap buffer in `start_decoder`. The root cause is a potential integer overflow in `sizeof(char*) * (f->comment_list_length)` which may make `setup_malloc` allocate less memory than required. Since there is another integer overflow an attacker may overflow it too to force `setup_malloc` to return 0 and make the exploit more reliable. This issue may lead to code execution. CVE-2023-45681 SUSE Package Hub 15 SP6:SDL2_sound-devel-2.0.4-bp156.2.3.1 SUSE Package Hub 15 SP6:libSDL2_sound2-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:SDL2_sound-devel-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:libSDL2_sound2-2.0.4-bp156.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ https://www.suse.com/security/cve/CVE-2023-45681.html CVE-2023-45681 https://bugzilla.suse.com/1216478 SUSE Bug 1216478 stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information. CVE-2023-45682 SUSE Package Hub 15 SP6:SDL2_sound-devel-2.0.4-bp156.2.3.1 SUSE Package Hub 15 SP6:libSDL2_sound2-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:SDL2_sound-devel-2.0.4-bp156.2.3.1 openSUSE Leap 15.6:libSDL2_sound2-2.0.4-bp156.2.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PYKIGUIZT6TXJBJESQGK4RWVLRA2YLO4/ https://www.suse.com/security/cve/CVE-2023-45682.html CVE-2023-45682 https://bugzilla.suse.com/1216478 SUSE Bug 1216478