Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 843434 (CVE-2022-27470) - <media-libs/sdl2-ttf-2.20.0: arbitrary memory write
Summary: <media-libs/sdl2-ttf-2.20.0: arbitrary memory write
Alias: CVE-2022-27470
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa?]
Depends on: 883977
  Show dependency tree
Reported: 2022-05-09 14:06 UTC by John Helmert III
Modified: 2022-12-16 06:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-09 14:06:36 UTC
CVE-2022-27470 (

SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). This vulnerability is triggered via a crafted TTF file.

Upstream report seems to be referring to SDL2-ttf, but reported to
SDL-ttf, so presumably both are affected?
Comment 1 Larry the Git Cow gentoo-dev 2022-07-19 01:09:38 UTC
The bug has been referenced in the following commit(s):

commit 2044b967bf51f919535fa3881663618cd00868e6
Author:     Sam James <>
AuthorDate: 2022-07-19 01:00:34 +0000
Commit:     Sam James <>
CommitDate: 2022-07-19 01:07:20 +0000

    media-libs/sdl2-ttf: add 2.20.0
    Signed-off-by: Sam James <>

 media-libs/sdl2-ttf/Manifest               |  1 +
 media-libs/sdl2-ttf/sdl2-ttf-2.20.0.ebuild | 38 ++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-11-11 03:50:16 UTC
The bug has been referenced in the following commit(s):

commit 7f2e578801e00c0a195b0d6f72cb69368544db75
Author:     Sam James <>
AuthorDate: 2022-11-11 03:48:59 +0000
Commit:     Sam James <>
CommitDate: 2022-11-11 03:48:59 +0000

    media-libs/sdl-ttf: add 2.0.11_p20220525
    Upstream aren't making releases anymore (since a long time ago!) for the 1.2.x
    branch but are kindly doing backports, so let's make a snapshot.
    The vulnerable (CVE-2022-27470) code doesn't seem to be in 1.2.x - and
    given upstream are quite good about backporting, the absence of any related
    commits seems to support that.
    Signed-off-by: Sam James <>

 media-libs/sdl-ttf/Manifest                        |  1 +
 media-libs/sdl-ttf/sdl-ttf-2.0.11_p20220525.ebuild | 51 ++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2022-12-16 06:26:20 UTC
The bug has been referenced in the following commit(s):

commit c6b2fec5a705307d1dd93feaf16295c44346c9c4
Author:     Sam James <>
AuthorDate: 2022-12-16 05:24:27 +0000
Commit:     Sam James <>
CommitDate: 2022-12-16 06:26:12 +0000

    media-libs/sdl2-ttf: drop 2.0.15, 2.0.18-r1
    Signed-off-by: Sam James <>

 media-libs/sdl2-ttf/Manifest                  |  2 --
 media-libs/sdl2-ttf/sdl2-ttf-2.0.15.ebuild    | 39 -----------------------
 media-libs/sdl2-ttf/sdl2-ttf-2.0.18-r1.ebuild | 45 ---------------------------
 3 files changed, 86 deletions(-)