Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 674132 (CVE-2018-3977) - <media-libs/sdl2-image-2.0.4: code execution in the XCF image rendering functionality (CVE-2018-3977)
Summary: <media-libs/sdl2-image-2.0.4: code execution in the XCF image rendering funct...
Status: RESOLVED FIXED
Alias: CVE-2018-3977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://talosintelligence.com/vulnera...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-30 21:02 UTC by GLSAMaker/CVETool Bot
Modified: 2019-03-28 02:08 UTC (History)
1 user (show)

See Also:
Package list:
media-libs/sdl2-image-2.0.4 media-libs/sdl2-mixer-2.0.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-12-30 21:02:19 UTC
CVE-2018-3977 (https://nvd.nist.gov/vuln/detail/CVE-2018-3977):
  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of SDL2_image-2.0.3. A specially crafted XCF image
  can cause a heap overflow, resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-30 21:04:04 UTC
Added to an existing GLSA.

@ Arches,

please test and mark stable: =media-libs/sdl2-image-2.0.4
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-31 16:44:35 UTC
x86 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-02 10:05:16 UTC
amd64 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-02 10:05:46 UTC
oggh, sorry, autoclose
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-03-10 02:50:11 UTC
@games, please clean.
Comment 6 Larry the Git Cow gentoo-dev 2019-03-10 10:22:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6338bd985b7f559eaff8fab0de624ee4e777b943

commit 6338bd985b7f559eaff8fab0de624ee4e777b943
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2019-03-10 10:22:02 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2019-03-10 10:22:02 +0000

    media-libs/sdl2-image: Drop old and vulnerable 2.0.3
    
    Bug: https://bugs.gentoo.org/674132
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 media-libs/sdl2-image/Manifest                |  1 -
 media-libs/sdl2-image/sdl2-image-2.0.3.ebuild | 61 ---------------------------
 2 files changed, 62 deletions(-)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:08:11 UTC
This issue was resolved and addressed in
 GLSA 201903-17 at https://security.gentoo.org/glsa/201903-17
by GLSA coordinator Aaron Bauman (b-man).