diff -Nru libsdl2-2.0.8+dfsg1/debian/changelog libsdl2-2.0.8+dfsg1/debian/changelog
--- libsdl2-2.0.8+dfsg1/debian/changelog	2019-02-28 09:38:26.000000000 +0000
+++ libsdl2-2.0.8+dfsg1/debian/changelog	2019-08-28 17:59:20.000000000 +0000
@@ -1,3 +1,17 @@
+libsdl2 (2.0.8+dfsg1-1ubuntu1.18.04.4) bionic-security; urgency=medium
+
+  * SECURITY UPDATE: heap-based buffer over-read in Blit1to4
+    - debian/patches/CVE-2019-7635.diff: add error checking to SDL_LoadBMP_RW
+    - CVE-2019-7635
+  * SECURITY UPDATE: heap-based buffer over-read in Map1toN and
+     SDL_GetRGB
+    - debian/patches/CVE-2019-7636_CVE-2019-7638.patch: add error checking to 
+      SDL_LoadBMP_RW
+    - CVE-2019-7636
+    - CVE-2019-7638
+
+ -- Avital Ostromich <avital.ostromich@canonical.com>  Wed, 28 Aug 2019 13:59:20 -0400
+
 libsdl2 (2.0.8+dfsg1-1ubuntu1.18.04.3) bionic; urgency=medium
 
   [ Gianfranco Costamagna ]
diff -Nru libsdl2-2.0.8+dfsg1/debian/control libsdl2-2.0.8+dfsg1/debian/control
--- libsdl2-2.0.8+dfsg1/debian/control	2019-02-28 09:38:25.000000000 +0000
+++ libsdl2-2.0.8+dfsg1/debian/control	2019-08-28 17:59:20.000000000 +0000
@@ -1,7 +1,8 @@
 Source: libsdl2
 Priority: optional
 Section: libs
-Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian SDL packages maintainers <pkg-sdl-maintainers@lists.alioth.debian.org>
 Uploaders:
  Sam Hocevar <sho@debian.org>,
  Manuel A. Fernandez Montecelo <mafm@debian.org>,
diff -Nru libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7635.diff libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7635.diff
--- libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7635.diff	1970-01-01 00:00:00.000000000 +0000
+++ libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7635.diff	2019-08-28 17:59:20.000000000 +0000
@@ -0,0 +1,74 @@
+Description: Fixed CVE-2019-7635 and bug 4498
+ Heap-Buffer Overflow in Blit1to4 pertaining to SDL_blit_1.c
+ 
+ Petr Pisar
+ 
+ The root cause is that the POC BMP file declares 3 colors used and 4 bpp
+ palette, but pixel at line 28 and column 1 (counted from 0) has color number 3.
+ Then when the image loaded into a surface is passed to SDL_DisplayFormat(), in
+ order to convert it to a video format, a used bliting function looks up a color
+ number 3 in a 3-element long color bliting map. (The map obviously has the same
+ number entries as the surface format has colors.)
+ 
+ Proper fix should refuse broken BMP images that have a pixel with a color index
+ higher than declared number of "used" colors. Possibly more advanced fix could
+ try to relocate the out-of-range color index into a vacant index (if such
+ exists).
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: https://hg.libsdl.org/SDL/rev/7c643f1c1887
+Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+Last-Update: 2019-09-10 
+
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -246,6 +246,14 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free
+         ExpandBMP = biBitCount;
+         biBitCount = 8;
+         break;
++    case 2:
++    case 3:
++    case 5:
++    case 6:
++    case 7:
++		SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++        was_error = SDL_TRUE;
++        goto done;
+     default:
+         ExpandBMP = 0;
+         break;
+@@ -394,19 +402,32 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free
+                             goto done;
+                         }
+                     }
+-                    *(bits + i) = (pixel >> shift);
++                    bits[i] = (pixel >> shift);
++					if (bits[i] >= biClrUsed) {
++						SDL_SetError("A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
+                     pixel <<= ExpandBMP;
+                 }
+             }
+             break;
+ 
+         default:
+-            if (SDL_RWread(src, bits, 1, surface->pitch)
+-                != surface->pitch) {
++            if (SDL_RWread(src, bits, 1, surface->pitch) != surface->pitch) {
+                 SDL_Error(SDL_EFREAD);
+                 was_error = SDL_TRUE;
+                 goto done;
+             }
++			if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
++				for (i = 0; i < surface->w; ++i) {
++					if (bits[i] >= biClrUsed) {
++						SDL_SetError("A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
++				}
++			}
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+             /* Byte-swap the pixels if needed. Note that the 24bpp
+                case has already been taken care of above. */
diff -Nru libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff
--- libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff	1970-01-01 00:00:00.000000000 +0000
+++ libsdl2-2.0.8+dfsg1/debian/patches/CVE-2019-7636_CVE-2019-7638.diff	2019-08-28 17:59:20.000000000 +0000
@@ -0,0 +1,34 @@
+Description: Fixed bug 4500
+ Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c
+
+ Petr Pisar
+
+ The reproducer has these data in BITMAPINFOHEADER:
+
+ biSize = 40
+ biBitCount = 8
+ biClrUsed = 131075
+
+ SDL_LoadBMP_RW() function passes biBitCount as a color depth to
+ SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed
+ colors are read from a file and stored into the palette. SDL_LoadBMP_RW should
+ report an error if biClrUsed is greater than 2^biBitCount.
+Author: Sam Lantinga <slouken@libsdl.org>
+Origin: https://hg.libsdl.org/SDL/rev/7c643f1c1887
+Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
+Bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
+Last-Update: 2019-09-10
+
+--- a/src/video/SDL_bmp.c
++++ b/src/video/SDL_bmp.c
+@@ -321,6 +321,10 @@ SDL_LoadBMP_RW(SDL_RWops * src, int free
+         SDL_assert(biBitCount <= 8);
+         if (biClrUsed == 0) {
+             biClrUsed = 1 << biBitCount;
++		} else if (biClrUsed > (1 << biBitCount)) {
++			SDL_SetError("BMP file has an invalid number of colors");
++			was_error = SDL_TRUE;
++			goto done;
+         }
+         if ((int) biClrUsed > palette->ncolors) {
+             SDL_Color *colors;
diff -Nru libsdl2-2.0.8+dfsg1/debian/patches/no-libdir.patch libsdl2-2.0.8+dfsg1/debian/patches/no-libdir.patch
--- libsdl2-2.0.8+dfsg1/debian/patches/no-libdir.patch	2018-03-04 16:23:47.000000000 +0000
+++ libsdl2-2.0.8+dfsg1/debian/patches/no-libdir.patch	2019-08-28 17:59:14.000000000 +0000
@@ -1,8 +1,8 @@
 Description: This makes the -dev package multiarch
 Author: Gianfranco Costamagna <locutusofborg@debian.org>
 
---- libsdl2-2.0.5+dfsg1.orig/sdl2-config.cmake.in
-+++ libsdl2-2.0.5+dfsg1/sdl2-config.cmake.in
+--- a/sdl2-config.cmake.in
++++ b/sdl2-config.cmake.in
 @@ -5,7 +5,6 @@ set(exec_prefix "@exec_prefix@")
  set(libdir "@libdir@")
  set(SDL2_PREFIX "@prefix@")
@@ -12,8 +12,8 @@
 -set(SDL2_LIBRARIES "-L${SDL2_LIBDIR} @SDL_RLD_FLAGS@ @SDL_LIBS@")
 +set(SDL2_LIBRARIES "@SDL_RLD_FLAGS@ @SDL_LIBS@")
  string(STRIP "${SDL2_LIBRARIES}" SDL2_LIBRARIES)
---- libsdl2-2.0.5+dfsg1.orig/sdl2-config.in
-+++ libsdl2-2.0.5+dfsg1/sdl2-config.in
+--- a/sdl2-config.in
++++ b/sdl2-config.in
 @@ -3,7 +3,6 @@
  prefix=@prefix@
  exec_prefix=@exec_prefix@
diff -Nru libsdl2-2.0.8+dfsg1/debian/patches/series libsdl2-2.0.8+dfsg1/debian/patches/series
--- libsdl2-2.0.8+dfsg1/debian/patches/series	2018-05-22 07:24:20.000000000 +0000
+++ libsdl2-2.0.8+dfsg1/debian/patches/series	2019-08-28 17:59:20.000000000 +0000
@@ -1,2 +1,4 @@
 no-libdir.patch
 SDL2-dynapi-symbol-resolution-fix.patch
+CVE-2019-7635.diff
+CVE-2019-7636_CVE-2019-7638.diff