CVE-2018-3839 (https://nvd.nist.gov/vuln/detail/CVE-2018-3839): An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2018-3838 (https://nvd.nist.gov/vuln/detail/CVE-2018-3838): An exploitable information vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2018-3837 (https://nvd.nist.gov/vuln/detail/CVE-2018-3837): An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14450 (https://nvd.nist.gov/vuln/detail/CVE-2017-14450): A buffer overflow vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker can display an image to trigger this vulnerability. CVE-2017-14449 (https://nvd.nist.gov/vuln/detail/CVE-2017-14449): A double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14448 (https://nvd.nist.gov/vuln/detail/CVE-2017-14448): An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14442 (https://nvd.nist.gov/vuln/detail/CVE-2017-14442): An exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14441 (https://nvd.nist.gov/vuln/detail/CVE-2017-14441): An exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14440 (https://nvd.nist.gov/vuln/detail/CVE-2017-14440): An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-12122 (https://nvd.nist.gov/vuln/detail/CVE-2017-12122): An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. @Maintainers Debian seems to have addressed some of these CVEs for 2.0.1 which is stable in the tree. If we need to stabilize 2.0.3, please call when ready.
Cleanup of vulnerable versions happened few days ago in commit e5f5a0157f15433d0d3fa13c5d0dce99b490ecb2.
This issue was resolved and addressed in GLSA 201903-17 at https://security.gentoo.org/glsa/201903-17 by GLSA coordinator Aaron Bauman (b-man).