Bug 655226 (CVE-2017-12122, CVE-2017-14441, CVE-2017-14442, CVE-2017-14448, CVE-2017-14449, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839)

Description GLSAMaker/CVETool Bot 2018-05-07 21:36:31 UTC

CVE-2018-3839 (https://nvd.nist.gov/vuln/detail/CVE-2018-3839):
  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A
  specially crafted XCF image can cause an out-of-bounds write on the heap,
  resulting in code execution. An attacker can display a specially crafted
  image to trigger this vulnerability.

CVE-2018-3838 (https://nvd.nist.gov/vuln/detail/CVE-2018-3838):
  An exploitable information vulnerability exists in the XCF image rendering
  functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially
  crafted XCF image can cause an out-of-bounds read on the heap, resulting in
  information disclosure. An attacker can display a specially crafted image to
  trigger this vulnerability.

CVE-2018-3837 (https://nvd.nist.gov/vuln/detail/CVE-2018-3837):
  An exploitable information disclosure vulnerability exists in the PCX image
  rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A
  specially crafted PCX image can cause an out-of-bounds read on the heap,
  resulting in information disclosure . An attacker can display a specially
  crafted image to trigger this vulnerability.

CVE-2017-14450 (https://nvd.nist.gov/vuln/detail/CVE-2017-14450):
  A buffer overflow vulnerability exists in the GIF image parsing
  functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to
  a buffer overflow on a global section. An attacker can display an image to
  trigger this vulnerability.

CVE-2017-14449 (https://nvd.nist.gov/vuln/detail/CVE-2017-14449):
  A double-Free vulnerability exists in the XCF image rendering functionality
  of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free
  situation to occur. An attacker can display a specially crafted image to
  trigger this vulnerability.

CVE-2017-14448 (https://nvd.nist.gov/vuln/detail/CVE-2017-14448):
  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image
  can cause a heap overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.

CVE-2017-14442 (https://nvd.nist.gov/vuln/detail/CVE-2017-14442):
  An exploitable code execution vulnerability exists in the BMP image
  rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image
  can cause a stack overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.

CVE-2017-14441 (https://nvd.nist.gov/vuln/detail/CVE-2017-14441):
  An exploitable code execution vulnerability exists in the ICO image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image
  can cause an integer overflow, cascading to a heap overflow resulting in
  code execution. An attacker can display a specially crafted image to trigger
  this vulnerability.

CVE-2017-14440 (https://nvd.nist.gov/vuln/detail/CVE-2017-14440):
  An exploitable code execution vulnerability exists in the ILBM image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image
  can cause a stack overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.

CVE-2017-12122 (https://nvd.nist.gov/vuln/detail/CVE-2017-12122):
  An exploitable code execution vulnerability exists in the ILBM image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image
  can cause a heap overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.


@Maintainers Debian seems to have addressed some of these CVEs for 2.0.1 which is stable in the tree. If we need to stabilize 2.0.3, please call when ready.