CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
86.8%
This update fixes various security vulnerabilities affecting the SDL2_image library, listed below. The fixes are provided in SDL2_image 2.0.4, which depends on SDL2 2.0.8 or later. As such, the SDL2 and SDL2_mixer libraries are also updated to their current stable releases, providing various bug fixes and features. The security vulnerabilities fixed in this update are the following: An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2017-0488, CVE-2017-12122) An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2017-0489, CVE-2017-14440) An exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2017-0490, CVE-2017-14441) An exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2017-0491, CVE-2017-14442) An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2017-0497, CVE-2017-14448) A double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2017-0498, CVE-2017-14449) A buffer overflow vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker can display an image to trigger this vulnerability. (TALOS-2017-0499, CVE-2017-14450) An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2018-0519, CVE-2018-3837) An exploitable information vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2018-0520, CVE-2018-3838) An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2018-0521, CVE-2018-3839) An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.3. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (TALOS-2018-0645, CVE-2018-3977)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 6 | noarch | sdl2 | <Β 2.0.9-1 | sdl2-2.0.9-1.mga6 |
Mageia | 6 | noarch | sdl2_image | <Β 2.0.4-1 | sdl2_image-2.0.4-1.mga6 |
Mageia | 6 | noarch | sdl2_mixer | <Β 2.0.4-1 | sdl2_mixer-2.0.4-1.mga6 |
Mageia | 6 | noarch | mingw-sdl2 | <Β 2.0.9-1 | mingw-SDL2-2.0.9-1.mga6 |
Mageia | 6 | noarch | mingw-sdl2_image | <Β 2.0.4-1 | mingw-SDL2_image-2.0.4-1.mga6 |
Mageia | 6 | noarch | mingw-sdl2_mixer | <Β 2.0.4-1 | mingw-SDL2_mixer-2.0.4-1.mga6 |
bugs.mageia.org/show_bug.cgi?id=22769
hg.libsdl.org/SDL/file/8feb5da6f2fb/WhatsNew.txt
talosintelligence.com/vulnerability_reports/TALOS-2017-0488
talosintelligence.com/vulnerability_reports/TALOS-2017-0489
talosintelligence.com/vulnerability_reports/TALOS-2017-0490
talosintelligence.com/vulnerability_reports/TALOS-2017-0491
talosintelligence.com/vulnerability_reports/TALOS-2017-0497
talosintelligence.com/vulnerability_reports/TALOS-2017-0498
talosintelligence.com/vulnerability_reports/TALOS-2017-0499
talosintelligence.com/vulnerability_reports/TALOS-2018-0519
talosintelligence.com/vulnerability_reports/TALOS-2018-0520
talosintelligence.com/vulnerability_reports/TALOS-2018-0521
talosintelligence.com/vulnerability_reports/TALOS-2018-0645
www.libsdl.org/projects/SDL_image/
www.libsdl.org/projects/SDL_mixer/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
86.8%