Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 655226 (CVE-2017-12122, CVE-2017-14441, CVE-2017-14442, CVE-2017-14448, CVE-2017-14449, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839) - <media-libs/sdl2-image-2.0.3: Multiple vulnerabilities
Summary: <media-libs/sdl2-image-2.0.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-12122, CVE-2017-14441, CVE-2017-14442, CVE-2017-14448, CVE-2017-14449, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-07 21:36 UTC by GLSAMaker/CVETool Bot
Modified: 2022-12-15 05:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-05-07 21:36:31 UTC
CVE-2018-3839 (https://nvd.nist.gov/vuln/detail/CVE-2018-3839):
  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A
  specially crafted XCF image can cause an out-of-bounds write on the heap,
  resulting in code execution. An attacker can display a specially crafted
  image to trigger this vulnerability.

CVE-2018-3838 (https://nvd.nist.gov/vuln/detail/CVE-2018-3838):
  An exploitable information vulnerability exists in the XCF image rendering
  functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially
  crafted XCF image can cause an out-of-bounds read on the heap, resulting in
  information disclosure. An attacker can display a specially crafted image to
  trigger this vulnerability.

CVE-2018-3837 (https://nvd.nist.gov/vuln/detail/CVE-2018-3837):
  An exploitable information disclosure vulnerability exists in the PCX image
  rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A
  specially crafted PCX image can cause an out-of-bounds read on the heap,
  resulting in information disclosure . An attacker can display a specially
  crafted image to trigger this vulnerability.

CVE-2017-14450 (https://nvd.nist.gov/vuln/detail/CVE-2017-14450):
  A buffer overflow vulnerability exists in the GIF image parsing
  functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to
  a buffer overflow on a global section. An attacker can display an image to
  trigger this vulnerability.

CVE-2017-14449 (https://nvd.nist.gov/vuln/detail/CVE-2017-14449):
  A double-Free vulnerability exists in the XCF image rendering functionality
  of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free
  situation to occur. An attacker can display a specially crafted image to
  trigger this vulnerability.

CVE-2017-14448 (https://nvd.nist.gov/vuln/detail/CVE-2017-14448):
  An exploitable code execution vulnerability exists in the XCF image
  rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image
  can cause a heap overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.

CVE-2017-14442 (https://nvd.nist.gov/vuln/detail/CVE-2017-14442):
  An exploitable code execution vulnerability exists in the BMP image
  rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image
  can cause a stack overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.

CVE-2017-14441 (https://nvd.nist.gov/vuln/detail/CVE-2017-14441):
  An exploitable code execution vulnerability exists in the ICO image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image
  can cause an integer overflow, cascading to a heap overflow resulting in
  code execution. An attacker can display a specially crafted image to trigger
  this vulnerability.

CVE-2017-14440 (https://nvd.nist.gov/vuln/detail/CVE-2017-14440):
  An exploitable code execution vulnerability exists in the ILBM image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image
  can cause a stack overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.

CVE-2017-12122 (https://nvd.nist.gov/vuln/detail/CVE-2017-12122):
  An exploitable code execution vulnerability exists in the ILBM image
  rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image
  can cause a heap overflow resulting in code execution. An attacker can
  display a specially crafted image to trigger this vulnerability.


@Maintainers Debian seems to have addressed some of these CVEs for 2.0.1 which is stable in the tree. If we need to stabilize 2.0.3, please call when ready.
Comment 1 Andreas Sturmlechner gentoo-dev 2018-09-18 22:28:18 UTC
Cleanup of vulnerable versions happened few days ago in commit e5f5a0157f15433d0d3fa13c5d0dce99b490ecb2.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2019-03-28 02:08:04 UTC
This issue was resolved and addressed in
 GLSA 201903-17 at https://security.gentoo.org/glsa/201903-17
by GLSA coordinator Aaron Bauman (b-man).