{"id": "DEBIAN:DSA-4184-1:5B5DD", "bulletinFamily": "unix", "title": "[SECURITY] [DSA 4184-1] sdl-image1.2 security update", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4184-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nApril 28, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : sdl-image1.2\nCVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441\n CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 CVE-2018-3837\n CVE-2018-3838 CVE-2018-3839\nDebian Bug : 878267\n\nMultiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 1.2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 1.2.12-5+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.2.12-5+deb9u1.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\nFor the detailed security status of sdl-image1.2 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/sdl-image1.2\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "published": "2018-04-28T19:28:26", "modified": "2018-04-28T19:28:26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00111.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2017-14441", "CVE-2017-2887", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2018-3839", "CVE-2017-14448"], "type": "debian", "lastseen": "2021-01-11T01:24:06", "edition": 20, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310704184", "OPENVAS:1361412562310704177", "OPENVAS:1361412562310876179", "OPENVAS:1361412562310852146", "OPENVAS:1361412562310891341", "OPENVAS:1361412562310873508", "OPENVAS:1361412562310875274", "OPENVAS:1361412562310851720", "OPENVAS:1361412562310873520", "OPENVAS:1361412562310891134"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4184.NASL", "OPENSUSE-2018-280.NASL", "FEDORA_2018-B38DE02132.NASL", "DEBIAN_DLA-1341.NASL", "FEDORA_2017-15987A1B7F.NASL", "DEBIAN_DLA-1134.NASL", "DEBIAN_DSA-4177.NASL", "GENTOO_GLSA-201903-17.NASL", "OPENSUSE-2018-187.NASL", "FEDORA_2018-E8D19367CB.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4177-1:F7927", "DEBIAN:DLA-1341-1:F2215", "DEBIAN:DLA-1134-1:1ED94"]}, {"type": "gentoo", "idList": ["GLSA-201903-17"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3828-1", "OPENSUSE-SU-2018:3906-1", "OPENSUSE-SU-2018:0734-1", "OPENSUSE-SU-2018:3896-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:B432A382E9C35E819CFB15B6830B754F", "TALOSBLOG:12FD65E00A8CA808EFB736D2729B4F5D", "TALOSBLOG:4F92D3C486338065D12BD3E18C270668"]}, {"type": "cve", "idList": ["CVE-2018-3839", "CVE-2017-14442", "CVE-2017-14441", "CVE-2017-14450", "CVE-2018-3838", "CVE-2017-2887", "CVE-2017-14448", "CVE-2017-14440", "CVE-2018-3837", "CVE-2017-12122"]}, {"type": "seebug", "idList": ["SSV:96794"]}, {"type": "fedora", "idList": ["FEDORA:D7BA9659EBC2", "FEDORA:E3A7760F6011", "FEDORA:79E9C6125E25", "FEDORA:3DF646078C26", "FEDORA:BA2156076D19"]}, {"type": "talos", "idList": ["TALOS-2018-0519", "TALOS-2018-0521", "TALOS-2017-0499", "TALOS-2018-0520", "TALOS-2017-0394", "TALOS-2017-0497", "TALOS-2017-0491", "TALOS-2017-0488", "TALOS-2017-0489", "TALOS-2017-0490"]}], "modified": "2021-01-11T01:24:06", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-01-11T01:24:06", "rev": 2}, "vulnersScore": 5.6}, "affectedPackage": [{"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libsdl-image1.2-dbg_1.2.12-5+deb8u1_all.deb", "packageName": "libsdl-image1.2-dbg", "packageVersion": "1.2.12-5+deb8u1"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libsdl-image1.2-dev_1.2.12-5+deb8u1_all.deb", "packageName": "libsdl-image1.2-dev", "packageVersion": "1.2.12-5+deb8u1"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "libsdl-image1.2-dev_1.2.12-5+deb9u1_all.deb", "packageName": "libsdl-image1.2-dev", "packageVersion": "1.2.12-5+deb9u1"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "sdl-image1.2_1.2.12-5+deb9u1_all.deb", "packageName": "sdl-image1.2", "packageVersion": "1.2.12-5+deb9u1"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "sdl-image1.2_1.2.12-5+deb8u1_all.deb", "packageName": "sdl-image1.2", "packageVersion": "1.2.12-5+deb8u1"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "libsdl-image1.2-dbg_1.2.12-5+deb9u1_all.deb", "packageName": "libsdl-image1.2-dbg", "packageVersion": "1.2.12-5+deb9u1"}, {"OS": "Debian", "OSVersion": "9", "arch": "all", "operator": "lt", "packageFilename": "libsdl-image1.2_1.2.12-5+deb9u1_all.deb", "packageName": "libsdl-image1.2", "packageVersion": "1.2.12-5+deb9u1"}, {"OS": "Debian", "OSVersion": "8", "arch": "all", "operator": "lt", "packageFilename": "libsdl-image1.2_1.2.12-5+deb8u1_all.deb", "packageName": "libsdl-image1.2", "packageVersion": "1.2.12-5+deb8u1"}], "scheme": null}

{"openvas": [{"lastseen": "2019-07-04T18:56:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-2887", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2018-3839", "CVE-2017-14448"], "description": "Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 1.2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.", "modified": "2019-07-04T00:00:00", "published": "2018-04-28T00:00:00", "id": "OPENVAS:1361412562310704184", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704184", "type": "openvas", "title": "Debian Security Advisory DSA 4184-1 (sdl-image1.2 - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4184-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704184\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\",\n \"CVE-2017-14450\", \"CVE-2017-2887\", \"CVE-2018-3837\", \"CVE-2018-3838\", \"CVE-2018-3839\");\n script_name(\"Debian Security Advisory DSA 4184-1 (sdl-image1.2 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-28 00:00:00 +0200 (Sat, 28 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4184.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"sdl-image1.2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 1.2.12-5+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 1.2.12-5+deb9u1.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/sdl-image1.2\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 1.2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2\", ver:\"1.2.12-5+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2-dbg\", ver:\"1.2.12-5+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2-dev\", ver:\"1.2.12-5+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2\", ver:\"1.2.12-5+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2-dbg\", ver:\"1.2.12-5+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2-dev\", ver:\"1.2.12-5+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:55:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-2887", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2017-14449", "CVE-2018-3839", "CVE-2017-14448"], "description": "Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 2, which could result in denial of\nservice or the execution of arbitrary code if malformed image files are\nopened.", "modified": "2019-07-04T00:00:00", "published": "2018-04-20T00:00:00", "id": "OPENVAS:1361412562310704177", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704177", "type": "openvas", "title": "Debian Security Advisory DSA 4177-1 (libsdl2-image - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4177-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704177\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\",\n \"CVE-2017-14449\", \"CVE-2017-14450\", \"CVE-2017-2887\", \"CVE-2018-3837\", \"CVE-2018-3838\",\n \"CVE-2018-3839\");\n script_name(\"Debian Security Advisory DSA 4177-1 (libsdl2-image - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-04-20 00:00:00 +0200 (Fri, 20 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4177.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"libsdl2-image on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 2.0.0+dfsg-3+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.0.1+dfsg-2+deb9u1.\n\nWe recommend that you upgrade your libsdl2-image packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/libsdl2-image\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 2, which could result in denial of\nservice or the execution of arbitrary code if malformed image files are\nopened.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl2-image-2.0-0\", ver:\"2.0.0+dfsg-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl2-image-dbg\", ver:\"2.0.0+dfsg-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl2-image-dev\", ver:\"2.0.0+dfsg-3+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl2-image-2.0-0\", ver:\"2.0.1+dfsg-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl2-image-dbg\", ver:\"2.0.1+dfsg-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl2-image-dev\", ver:\"2.0.1+dfsg-2+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:07:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2017-14448"], "description": "Lilith of Cisco Talos discovered several buffer overflow\nvulnerabilities in the SDL Image library which can be leveraged by\nattackers to execute arbitrary code via specially crafted image files.", "modified": "2020-01-29T00:00:00", "published": "2018-04-09T00:00:00", "id": "OPENVAS:1361412562310891341", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891341", "type": "openvas", "title": "Debian LTS: Security Advisory for sdl-image1.2 (DLA-1341-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891341\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\", \"CVE-2017-14450\");\n script_name(\"Debian LTS: Security Advisory for sdl-image1.2 (DLA-1341-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-04-09 00:00:00 +0200 (Mon, 09 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"sdl-image1.2 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.2.12-2+deb7u2.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\");\n\n script_tag(name:\"summary\", value:\"Lilith of Cisco Talos discovered several buffer overflow\nvulnerabilities in the SDL Image library which can be leveraged by\nattackers to execute arbitrary code via specially crafted image files.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2\", ver:\"1.2.12-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2-dev\", ver:\"1.2.12-2+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-04T16:42:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2017-14449", "CVE-2017-14448"], "description": "The remote host is missing an update for the ", "modified": "2020-06-03T00:00:00", "published": "2018-03-19T00:00:00", "id": "OPENVAS:1361412562310851720", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851720", "type": "openvas", "title": "openSUSE: Security Advisory for SDL2 (openSUSE-SU-2018:0734-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851720\");\n script_version(\"2020-06-03T08:38:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 08:38:58 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-19 08:26:15 +0100 (Mon, 19 Mar 2018)\");\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\",\n \"CVE-2017-14448\", \"CVE-2017-14449\", \"CVE-2017-14450\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for SDL2 (openSUSE-SU-2018:0734-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'SDL2'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for SDL2 and SDL2_image fixes the following issues:\n\n - CVE-2017-14441: Code execution in the ICO image rendering (bsc#1084282).\n\n - CVE-2017-14440: Potential code execution in the ILBM image rendering\n functionality (bsc#1084257).\n\n - CVE-2017-12122: Potential code execution in the ILBM image rendering\n fuctionality (bsc#1084256).\n\n - CVE-2017-14448: Heap buffer overflow in the XCF image rendering\n functionality (bsc#1084303).\n\n - CVE-2017-14449: Double-Free in the XCF image rendering (bsc#1084297).\n\n - CVE-2017-14442: Stack buffer overflow the BMP image rendering\n functionality (bsc#1084304).\n\n - CVE-2017-14450: Buffer overflow in the GIF image parsing (bsc#1084288).\n\n Bug fixes:\n\n - boo#1025413: Add dbus-ime.diff and build with fcitx.\");\n\n script_tag(name:\"affected\", value:\"SDL2, on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:0734-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"SDL2-debugsource\", rpm:\"SDL2-debugsource~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"SDL2_image-debugsource\", rpm:\"SDL2_image-debugsource~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2-2_0-0\", rpm:\"libSDL2-2_0-0~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2-2_0-0-debuginfo\", rpm:\"libSDL2-2_0-0-debuginfo~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2-devel\", rpm:\"libSDL2-devel~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0\", rpm:\"libSDL2_image-2_0-0~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0-debuginfo\", rpm:\"libSDL2_image-2_0-0-debuginfo~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-devel\", rpm:\"libSDL2_image-devel~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2-2_0-0-32bit\", rpm:\"libSDL2-2_0-0-32bit~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2-2_0-0-debuginfo-32bit\", rpm:\"libSDL2-2_0-0-debuginfo-32bit~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2-devel-32bit\", rpm:\"libSDL2-devel-32bit~2.0.8~18.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0-32bit\", rpm:\"libSDL2_image-2_0-0-32bit~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0-debuginfo-32bit\", rpm:\"libSDL2_image-2_0-0-debuginfo-32bit~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-devel-32bit\", rpm:\"libSDL2_image-devel-32bit~2.0.3~13.10.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3977", "CVE-2017-2887", "CVE-2018-3837"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-11-15T00:00:00", "id": "OPENVAS:1361412562310875274", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875274", "type": "openvas", "title": "Fedora Update for mingw-SDL2_image FEDORA-2018-e8d19367cb", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_e8d19367cb_mingw-SDL2_image_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for mingw-SDL2_image FEDORA-2018-e8d19367cb\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875274\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-3977\", \"CVE-2018-3837\", \"CVE-2017-2887\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-11-15 06:23:26 +0100 (Thu, 15 Nov 2018)\");\n script_name(\"Fedora Update for mingw-SDL2_image FEDORA-2018-e8d19367cb\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-e8d19367cb\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O6RWOV4GBZFLOKSR3LKMJGPGA4QC6GSB\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-SDL2_image'\n package(s) announced via the FEDORA-2018-e8d19367cb advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"mingw-SDL2_image on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-SDL2_image\", rpm:\"mingw-SDL2_image~2.0.4~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3977", "CVE-2017-2887", "CVE-2018-3837"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310876179", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876179", "type": "openvas", "title": "Fedora Update for mingw-SDL2_image FEDORA-2018-b38de02132", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876179\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2018-3977\", \"CVE-2018-3837\", \"CVE-2017-2887\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:38:14 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for mingw-SDL2_image FEDORA-2018-b38de02132\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b38de02132\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWHSQAXHHWQFHJTBXHLUQSSFEMXDCCJ6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mingw-SDL2_image'\n package(s) announced via the FEDORA-2018-b38de02132 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Simple DirectMedia Layer (SDL2) is a cross-platform multimedia library\ndesigned to provide fast access to the graphics frame buffer and audio\ndevice. This package contains a simple library for loading images of\nvarious formats (BMP, PPM, PCX, GIF, JPEG, PNG) as SDL2 surfaces.\");\n\n script_tag(name:\"affected\", value:\"'mingw-SDL2_image' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"mingw-SDL2_image\", rpm:\"mingw-SDL2_image~2.0.4~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:07:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2887"], "description": "It was discovered that there was a buffer overflow vulnerability in\nsdl-image1.2, an image loading library.\n\nA specially crafted .xcf file could cause a stack-based buffer overflow\nresulting in potential code execution.", "modified": "2020-01-29T00:00:00", "published": "2018-02-07T00:00:00", "id": "OPENVAS:1361412562310891134", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891134", "type": "openvas", "title": "Debian LTS: Security Advisory for sdl-image1.2 (DLA-1134-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891134\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-2887\");\n script_name(\"Debian LTS: Security Advisory for sdl-image1.2 (DLA-1134-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-07 00:00:00 +0100 (Wed, 07 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/10/msg00012.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"sdl-image1.2 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in sdl-image1.2 version\n1.2.12-2+deb7u1.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\");\n\n script_tag(name:\"summary\", value:\"It was discovered that there was a buffer overflow vulnerability in\nsdl-image1.2, an image loading library.\n\nA specially crafted .xcf file could cause a stack-based buffer overflow\nresulting in potential code execution.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2\", ver:\"1.2.12-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsdl-image1.2-dev\", ver:\"1.2.12-2+deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2887"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-10-21T00:00:00", "id": "OPENVAS:1361412562310873520", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873520", "type": "openvas", "title": "Fedora Update for SDL2_image FEDORA-2017-9b0095a6f2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_9b0095a6f2_SDL2_image_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for SDL2_image FEDORA-2017-9b0095a6f2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873520\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-21 09:52:55 +0200 (Sat, 21 Oct 2017)\");\n script_cve_id(\"CVE-2017-2887\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for SDL2_image FEDORA-2017-9b0095a6f2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'SDL2_image'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"SDL2_image on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9b0095a6f2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZ2PGONVZG63TVAHUUYJUCDTHN2PPFBT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"SDL2_image\", rpm:\"SDL2_image~2.0.1~8.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2887"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-10-21T00:00:00", "id": "OPENVAS:1361412562310873508", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873508", "type": "openvas", "title": "Fedora Update for SDL2_image FEDORA-2017-15987a1b7f", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_15987a1b7f_SDL2_image_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for SDL2_image FEDORA-2017-15987a1b7f\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873508\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-10-21 09:51:58 +0200 (Sat, 21 Oct 2017)\");\n script_cve_id(\"CVE-2017-2887\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for SDL2_image FEDORA-2017-15987a1b7f\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'SDL2_image'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"SDL2_image on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-15987a1b7f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XXICO4GQIX5IVMIRRBEKOBPLIFZCNOTT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"SDL2_image\", rpm:\"SDL2_image~2.0.1~8.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T17:33:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3977", "CVE-2018-3839"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2018-11-21T00:00:00", "id": "OPENVAS:1361412562310852135", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852135", "type": "openvas", "title": "openSUSE: Security Advisory for SDL2_image (openSUSE-SU-2018:3828-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852135\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-3839\", \"CVE-2018-3977\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-21 06:03:41 +0100 (Wed, 21 Nov 2018)\");\n script_name(\"openSUSE: Security Advisory for SDL2_image (openSUSE-SU-2018:3828-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3828-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-11/msg00034.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'SDL2_image'\n package(s) announced via the openSUSE-SU-2018:3828-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for SDL2_image fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-3839: Fixed an exploitable code execution vulnerability that\n existed in the XCF image rendering functionality of the Simple\n DirectMedia Layer (bsc#1089087).\n\n - CVE-2018-3977: Fixed a possible code execution via creafted XCF image\n that could have caused a heap overflow (bsc#1114519).\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-1433=1\");\n\n script_tag(name:\"affected\", value:\"SDL2_image on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"SDL2_image-debugsource\", rpm:\"SDL2_image-debugsource~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0\", rpm:\"libSDL2_image-2_0-0~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0-debuginfo\", rpm:\"libSDL2_image-2_0-0-debuginfo~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-devel\", rpm:\"libSDL2_image-devel~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0-32bit\", rpm:\"libSDL2_image-2_0-0-32bit~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-2_0-0-debuginfo-32bit\", rpm:\"libSDL2_image-2_0-0-debuginfo-32bit~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libSDL2_image-devel-32bit\", rpm:\"libSDL2_image-devel-32bit~2.0.4~13.13.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:46:58", "description": "Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 1.2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-30T00:00:00", "title": "Debian DSA-4184-1 : sdl-image1.2 - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-2887", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2018-3839", "CVE-2017-14448"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:sdl-image1.2", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4184.NASL", "href": "https://www.tenable.com/plugins/nessus/109413", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4184. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109413);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\", \"CVE-2017-14450\", \"CVE-2017-2887\", \"CVE-2018-3837\", \"CVE-2018-3838\", \"CVE-2018-3839\");\n script_xref(name:\"DSA\", value:\"4184\");\n\n script_name(english:\"Debian DSA-4184-1 : sdl-image1.2 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 1.2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878267\"\n );\n # https://security-tracker.debian.org/tracker/source-package/sdl-image1.2\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d2ad8d43\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/sdl-image1.2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/sdl-image1.2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4184\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the sdl-image1.2 packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 1.2.12-5+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 1.2.12-5+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:sdl-image1.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libsdl-image1.2\", reference:\"1.2.12-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libsdl-image1.2-dbg\", reference:\"1.2.12-5+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libsdl-image1.2-dev\", reference:\"1.2.12-5+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libsdl-image1.2\", reference:\"1.2.12-5+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libsdl-image1.2-dbg\", reference:\"1.2.12-5+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libsdl-image1.2-dev\", reference:\"1.2.12-5+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:46:56", "description": "Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.", "edition": 23, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-23T00:00:00", "title": "Debian DSA-4177-1 : libsdl2-image - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-2887", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2017-14449", "CVE-2018-3839", "CVE-2017-14448"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:libsdl2-image", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4177.NASL", "href": "https://www.tenable.com/plugins/nessus/109219", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4177. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109219);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/13 12:30:46\");\n\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\", \"CVE-2017-14449\", \"CVE-2017-14450\", \"CVE-2017-2887\", \"CVE-2018-3837\", \"CVE-2018-3838\", \"CVE-2018-3839\");\n script_xref(name:\"DSA\", value:\"4177\");\n\n script_name(english:\"Debian DSA-4177-1 : libsdl2-image - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 2, which could result in denial\nof service or the execution of arbitrary code if malformed image files\nare opened.\"\n );\n # https://security-tracker.debian.org/tracker/source-package/libsdl2-image\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cc606966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/libsdl2-image\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/libsdl2-image\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4177\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libsdl2-image packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 2.0.0+dfsg-3+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.0.1+dfsg-2+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsdl2-image\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libsdl2-image-2.0-0\", reference:\"2.0.0+dfsg-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libsdl2-image-dbg\", reference:\"2.0.0+dfsg-3+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libsdl2-image-dev\", reference:\"2.0.0+dfsg-3+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libsdl2-image-2.0-0\", reference:\"2.0.1+dfsg-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libsdl2-image-dbg\", reference:\"2.0.1+dfsg-2+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libsdl2-image-dev\", reference:\"2.0.1+dfsg-2+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:39:09", "description": "Lilith of Cisco Talos discovered several buffer overflow\nvulnerabilities in the SDL Image library which can be leveraged by\nattackers to execute arbitrary code via specially crafted image files.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.2.12-2+deb7u2.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-04-10T00:00:00", "title": "Debian DLA-1341-1 : sdl-image1.2 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2017-14448"], "modified": "2018-04-10T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libsdl-image1.2", "p-cpe:/a:debian:debian_linux:libsdl-image1.2-dev", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1341.NASL", "href": "https://www.tenable.com/plugins/nessus/108902", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1341-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108902);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\", \"CVE-2017-14450\");\n\n script_name(english:\"Debian DLA-1341-1 : sdl-image1.2 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Lilith of Cisco Talos discovered several buffer overflow\nvulnerabilities in the SDL Image library which can be leveraged by\nattackers to execute arbitrary code via specially crafted image files.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.2.12-2+deb7u2.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/04/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/sdl-image1.2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsdl-image1.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsdl-image1.2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libsdl-image1.2\", reference:\"1.2.12-2+deb7u2\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libsdl-image1.2-dev\", reference:\"1.2.12-2+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T02:57:05", "description": "The remote host is affected by the vulnerability described in GLSA-201903-17\n(SDL2_Image: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in SDL2_Image. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker, by enticing a user to process a specially crafted\n image file, could execute arbitrary code, cause a Denial of Service\n condition, or obtain sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 17, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-28T00:00:00", "title": "GLSA-201903-17 : SDL2_Image: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3977", "CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2017-14449", "CVE-2018-3839", "CVE-2017-14448"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:sdl2-image"], "id": "GENTOO_GLSA-201903-17.NASL", "href": "https://www.tenable.com/plugins/nessus/123423", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201903-17.\n#\n# The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123423);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/27\");\n\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\", \"CVE-2017-14449\", \"CVE-2017-14450\", \"CVE-2018-3837\", \"CVE-2018-3838\", \"CVE-2018-3839\", \"CVE-2018-3977\");\n script_xref(name:\"GLSA\", value:\"201903-17\");\n\n script_name(english:\"GLSA-201903-17 : SDL2_Image: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201903-17\n(SDL2_Image: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in SDL2_Image. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker, by enticing a user to process a specially crafted\n image file, could execute arbitrary code, cause a Denial of Service\n condition, or obtain sensitive information.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201903-17\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All SDL2_Image users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/sdl2-image-2.0.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:sdl2-image\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/sdl2-image\", unaffected:make_list(\"ge 2.0.4\"), vulnerable:make_list(\"lt 2.0.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SDL2_Image\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T11:18:41", "description": "This update for SDL2 and SDL2_image fixes the following issues :\n\n - CVE-2017-14441: Code execution in the ICO image\n rendering (bsc#1084282).\n\n - CVE-2017-14440: Potential code execution in the ILBM\n image rendering functionality (bsc#1084257).\n\n - CVE-2017-12122: Potential code execution in the ILBM\n image rendering fuctionality (bsc#1084256).\n\n - CVE-2017-14448: Heap buffer overflow in the XCF image\n rendering functionality (bsc#1084303).\n\n - CVE-2017-14449: Double-Free in the XCF image rendering\n (bsc#1084297).\n\n - CVE-2017-14442: Stack-based buffer overflow the BMP\n image rendering functionality (bsc#1084304).\n\n - CVE-2017-14450: Buffer overflow in the GIF image parsing\n (bsc#1084288).\n\nBug fixes :\n\n - boo#1025413: Add dbus-ime.diff and build with fcitx.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-03-19T00:00:00", "title": "openSUSE Security Update : SDL2 / SDL2_image (openSUSE-2018-280)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2017-14449", "CVE-2017-14448"], "modified": "2018-03-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:SDL2-debugsource", "p-cpe:/a:novell:opensuse:SDL2_image-debugsource", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo", "p-cpe:/a:novell:opensuse:libSDL2-2_0-0", "p-cpe:/a:novell:opensuse:libSDL2-2_0-0-32bit", "p-cpe:/a:novell:opensuse:libSDL2_image-devel", "p-cpe:/a:novell:opensuse:libSDL2-devel-32bit", "p-cpe:/a:novell:opensuse:libSDL2_image-devel-32bit", "p-cpe:/a:novell:opensuse:libSDL2-2_0-0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libSDL2-devel", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-32bit", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libSDL2-2_0-0-debuginfo"], "id": "OPENSUSE-2018-280.NASL", "href": "https://www.tenable.com/plugins/nessus/108444", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-280.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108444);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-12122\", \"CVE-2017-14440\", \"CVE-2017-14441\", \"CVE-2017-14442\", \"CVE-2017-14448\", \"CVE-2017-14449\", \"CVE-2017-14450\");\n\n script_name(english:\"openSUSE Security Update : SDL2 / SDL2_image (openSUSE-2018-280)\");\n script_summary(english:\"Check for the openSUSE-2018-280 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for SDL2 and SDL2_image fixes the following issues :\n\n - CVE-2017-14441: Code execution in the ICO image\n rendering (bsc#1084282).\n\n - CVE-2017-14440: Potential code execution in the ILBM\n image rendering functionality (bsc#1084257).\n\n - CVE-2017-12122: Potential code execution in the ILBM\n image rendering fuctionality (bsc#1084256).\n\n - CVE-2017-14448: Heap buffer overflow in the XCF image\n rendering functionality (bsc#1084303).\n\n - CVE-2017-14449: Double-Free in the XCF image rendering\n (bsc#1084297).\n\n - CVE-2017-14442: Stack-based buffer overflow the BMP\n image rendering functionality (bsc#1084304).\n\n - CVE-2017-14450: Buffer overflow in the GIF image parsing\n (bsc#1084288).\n\nBug fixes :\n\n - boo#1025413: Add dbus-ime.diff and build with fcitx.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1025413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084256\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084257\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084282\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084288\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084297\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084303\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1084304\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected SDL2 / SDL2_image packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:SDL2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:SDL2_image-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2-2_0-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2-2_0-0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2-2_0-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2-2_0-0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"SDL2-debugsource-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"SDL2_image-debugsource-2.0.3-13.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2-2_0-0-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2-2_0-0-debuginfo-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2-devel-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2_image-2_0-0-2.0.3-13.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2_image-2_0-0-debuginfo-2.0.3-13.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2_image-devel-2.0.3-13.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2-2_0-0-32bit-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2-2_0-0-debuginfo-32bit-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2-devel-32bit-2.0.8-18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2_image-2_0-0-32bit-2.0.3-13.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2_image-2_0-0-debuginfo-32bit-2.0.3-13.10.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2_image-devel-32bit-2.0.3-13.10.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SDL2-debugsource / libSDL2-2_0-0 / libSDL2-2_0-0-32bit / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:22:07", "description": "Security fix for CVE-2018-3977\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : mingw-SDL2_image (2018-e8d19367cb)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3977", "CVE-2017-2887", "CVE-2018-3837"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mingw-SDL2_image", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-E8D19367CB.NASL", "href": "https://www.tenable.com/plugins/nessus/120873", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-e8d19367cb.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120873);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2887\", \"CVE-2018-3837\", \"CVE-2018-3977\");\n script_xref(name:\"FEDORA\", value:\"2018-e8d19367cb\");\n\n script_name(english:\"Fedora 28 : mingw-SDL2_image (2018-e8d19367cb)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2018-3977\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8d19367cb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-SDL2_image package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-SDL2_image\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"mingw-SDL2_image-2.0.4-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-SDL2_image\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:20:48", "description": "Security fix for CVE-2018-3977\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : mingw-SDL2_image (2018-b38de02132)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3977", "CVE-2017-2887", "CVE-2018-3837"], "modified": "2019-01-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:mingw-SDL2_image"], "id": "FEDORA_2018-B38DE02132.NASL", "href": "https://www.tenable.com/plugins/nessus/120721", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-b38de02132.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120721);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2887\", \"CVE-2018-3837\", \"CVE-2018-3977\");\n script_xref(name:\"FEDORA\", value:\"2018-b38de02132\");\n\n script_name(english:\"Fedora 29 : mingw-SDL2_image (2018-b38de02132)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2018-3977\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-b38de02132\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-SDL2_image package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-SDL2_image\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"mingw-SDL2_image-2.0.4-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-SDL2_image\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:38:44", "description": "It was discovered that there was a buffer overflow vulnerability in\nsdl-image1.2, an image loading library.\n\nA specially crafted .xcf file could cause a stack-based buffer\noverflow resulting in potential code execution.\n\nFor Debian 7 'Wheezy', this issue has been fixed in sdl-image1.2\nversion 1.2.12-2+deb7u1.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 19, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-10-17T00:00:00", "title": "Debian DLA-1134-1 : sdl-image1.2 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2887"], "modified": "2017-10-17T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libsdl-image1.2", "p-cpe:/a:debian:debian_linux:libsdl-image1.2-dev", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1134.NASL", "href": "https://www.tenable.com/plugins/nessus/103858", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1134-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103858);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-2887\");\n\n script_name(english:\"Debian DLA-1134-1 : sdl-image1.2 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a buffer overflow vulnerability in\nsdl-image1.2, an image loading library.\n\nA specially crafted .xcf file could cause a stack-based buffer\noverflow resulting in potential code execution.\n\nFor Debian 7 'Wheezy', this issue has been fixed in sdl-image1.2\nversion 1.2.12-2+deb7u1.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/10/msg00012.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/sdl-image1.2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsdl-image1.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libsdl-image1.2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"libsdl-image1.2\", reference:\"1.2.12-2+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libsdl-image1.2-dev\", reference:\"1.2.12-2+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:12:21", "description": "Fix CVE-2017-2887\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2017-10-20T00:00:00", "title": "Fedora 26 : SDL2_image (2017-9b0095a6f2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2887"], "modified": "2017-10-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:SDL2_image", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-9B0095A6F2.NASL", "href": "https://www.tenable.com/plugins/nessus/103998", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-9b0095a6f2.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103998);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-2887\");\n script_xref(name:\"FEDORA\", value:\"2017-9b0095a6f2\");\n\n script_name(english:\"Fedora 26 : SDL2_image (2017-9b0095a6f2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix CVE-2017-2887\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-9b0095a6f2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected SDL2_image package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:SDL2_image\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"SDL2_image-2.0.1-8.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SDL2_image\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-05T11:18:23", "description": "This update for SDL_image and SDL2_image fixes the following security\nissue :\n\n - CVE-2017-2887: A specially crafted file could have been\n used to cause a stack overflow resulting in potential\n code execution (bsc#1062777)", "edition": 15, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2018-02-21T00:00:00", "title": "openSUSE Security Update : SDL_image / SDL2_image (openSUSE-2018-187)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2887"], "modified": "2018-02-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:SDL2_image-debugsource", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo", "p-cpe:/a:novell:opensuse:libSDL2_image-devel", "p-cpe:/a:novell:opensuse:libSDL2_image-devel-32bit", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-32bit", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:SDL_image-debugsource", "p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libSDL_image-1_2-0", "p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-debuginfo", "p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libSDL_image-devel", "p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-32bit", "p-cpe:/a:novell:opensuse:libSDL_image-devel-32bit"], "id": "OPENSUSE-2018-187.NASL", "href": "https://www.tenable.com/plugins/nessus/106919", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-187.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106919);\n script_version(\"3.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-2887\");\n\n script_name(english:\"openSUSE Security Update : SDL_image / SDL2_image (openSUSE-2018-187)\");\n script_summary(english:\"Check for the openSUSE-2018-187 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for SDL_image and SDL2_image fixes the following security\nissue :\n\n - CVE-2017-2887: A specially crafted file could have been\n used to cause a stack overflow resulting in potential\n code execution (bsc#1062777)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1062777\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected SDL_image / SDL2_image packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:SDL2_image-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:SDL_image-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-2_0-0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL2_image-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL_image-1_2-0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL_image-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libSDL_image-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"SDL2_image-debugsource-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"SDL_image-debugsource-1.2.12-16.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2_image-2_0-0-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2_image-2_0-0-debuginfo-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL2_image-devel-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL_image-1_2-0-1.2.12-16.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL_image-1_2-0-debuginfo-1.2.12-16.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"libSDL_image-devel-1.2.12-16.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2_image-2_0-0-32bit-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2_image-2_0-0-debuginfo-32bit-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL2_image-devel-32bit-2.0.0-13.7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL_image-1_2-0-32bit-1.2.12-16.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL_image-1_2-0-debuginfo-32bit-1.2.12-16.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", cpu:\"x86_64\", reference:\"libSDL_image-devel-32bit-1.2.12-16.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SDL2_image-debugsource / libSDL2_image-2_0-0 / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T01:00:44", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14441", "CVE-2017-2887", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2017-14449", "CVE-2018-3839", "CVE-2017-14448"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4177-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nApril 20, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libsdl2-image\nCVE ID : CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 \n CVE-2017-14442 CVE-2017-14448 CVE-2017-14449 CVE-2017-14450 \n CVE-2018-3837 CVE-2018-3838 CVE-2018-3839\n\nMultiple vulnerabilities have been discovered in the image loading\nlibrary for Simple DirectMedia Layer 2, which could result in denial of\nservice or the execution of arbitrary code if malformed image files are\nopened.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 2.0.0+dfsg-3+deb8u1.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.0.1+dfsg-2+deb9u1.\n\nWe recommend that you upgrade your libsdl2-image packages.\n\nFor the detailed security status of libsdl2-image please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/libsdl2-image\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 18, "modified": "2018-04-20T20:17:24", "published": "2018-04-20T20:17:24", "id": "DEBIAN:DSA-4177-1:F7927", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00104.html", "title": "[SECURITY] [DSA 4177-1] libsdl2-image security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2017-14448"], "description": "Package : sdl-image1.2\nVersion : 1.2.12-2+deb7u2\nCVE ID : CVE-2017-12122 CVE-2017-14440 CVE-2017-14441\n CVE-2017-14442 CVE-2017-14448 CVE-2017-14450\n\nLilith of Cisco Talos discovered several buffer overflow\nvulnerabilities in the SDL Image library which can be leveraged by\nattackers to execute arbitrary code via specially crafted image files.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.2.12-2+deb7u2.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2018-04-06T22:29:38", "published": "2018-04-06T22:29:38", "id": "DEBIAN:DLA-1341-1:F2215", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201804/msg00005.html", "title": "[SECURITY] [DLA 1341-1] sdl-image1.2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T00:51:28", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2887"], "description": "Package : sdl-image1.2\nVersion : 1.2.12-2+deb7u1\nCVE ID : CVE-2017-2887\nDebian Bug : #878267\n\nIt was discovered that there was a buffer overflow vulnerability in\nsdl-image1.2, an image loading library.\n\nA specially crafted .xcf file could cause a stack-based buffer overflow\nresulting in potential code execution.\n\nFor Debian 7 &quot;Wheezy&quot;, this issue has been fixed in sdl-image1.2 version\n1.2.12-2+deb7u1.\n\nWe recommend that you upgrade your sdl-image1.2 packages.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "edition": 9, "modified": "2017-10-16T22:02:23", "published": "2017-10-16T22:02:23", "id": "DEBIAN:DLA-1134-1:1ED94", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201710/msg00012.html", "title": "[SECURITY] [DLA 1134-1] sdl-image1.2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2019-03-28T06:33:59", "bulletinFamily": "unix", "cvelist": ["CVE-2018-3977", "CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2018-3837", "CVE-2018-3838", "CVE-2017-14449", "CVE-2018-3839", "CVE-2017-14448"], "description": "### Background\n\nSDL_image is an image file library that loads images as SDL surfaces, and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM, TGA, TIFF, XCF, XPM, and XV. \n\n### Description\n\nMultiple vulnerabilities have been discovered in SDL2_Image. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker, by enticing a user to process a specially crafted image file, could execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll SDL2_Image users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/sdl2-image-2.0.4\"", "edition": 1, "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "GLSA-201903-17", "href": "https://security.gentoo.org/glsa/201903-17", "title": "SDL2_Image: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2018-03-18T18:56:32", "bulletinFamily": "unix", "cvelist": ["CVE-2017-14441", "CVE-2017-14440", "CVE-2017-14442", "CVE-2017-14450", "CVE-2017-12122", "CVE-2017-14449", "CVE-2017-14448"], "description": "This update for SDL2 and SDL2_image fixes the following issues:\n\n - CVE-2017-14441: Code execution in the ICO image rendering (bsc#1084282).\n - CVE-2017-14440: Potential code execution in the ILBM image rendering\n functionality (bsc#1084257).\n - CVE-2017-12122: Potential code execution in the ILBM image rendering\n fuctionality (bsc#1084256).\n - CVE-2017-14448: Heap buffer overflow in the XCF image rendering\n functionality (bsc#1084303).\n - CVE-2017-14449: Double-Free in the XCF image rendering (bsc#1084297).\n - CVE-2017-14442: Stack buffer overflow the BMP image rendering\n functionality (bsc#1084304).\n - CVE-2017-14450: Buffer overflow in the GIF image parsing (bsc#1084288).\n\n Bug fixes:\n\n - boo#1025413: Add dbus-ime.diff and build with fcitx.\n\n", "edition": 1, "modified": "2018-03-18T15:09:14", "published": "2018-03-18T15:09:14", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html", "id": "OPENSUSE-SU-2018:0734-1", "type": "suse", "title": "Security update for SDL2, SDL2_image (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-25T07:48:06", "bulletinFamily": "unix", "cvelist": ["CVE-2018-3977", "CVE-2018-3839"], "description": "This update for SDL2_image fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-3839: Fixed an exploitable code execution vulnerability that\n existed in the XCF image rendering functionality of the Simple\n DirectMedia Layer (bsc#1089087).\n - CVE-2018-3977: Fixed a possible code execution via creafted XCF image\n that could have caused a heap overflow (bsc#1114519).\n\n This update was imported from the openSUSE:Leap:15.0:Update update project.\n\n", "edition": 1, "modified": "2018-11-25T00:08:23", "published": "2018-11-25T00:08:23", "id": "OPENSUSE-SU-2018:3906-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00047.html", "title": "Security update for SDL2_image (moderate)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-21T01:33:00", "bulletinFamily": "unix", "cvelist": ["CVE-2018-3977", "CVE-2018-3839"], "description": "This update for SDL2_image fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-3839: Fixed an exploitable code execution vulnerability that\n existed in the XCF image rendering functionality of the Simple\n DirectMedia Layer (bsc#1089087).\n - CVE-2018-3977: Fixed a possible code execution via creafted XCF image\n that could have caused a heap overflow (bsc#1114519).\n\n", "edition": 1, "modified": "2018-11-20T21:27:40", "published": "2018-11-20T21:27:40", "id": "OPENSUSE-SU-2018:3828-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00034.html", "title": "Security update for SDL2_image (moderate)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-24T21:04:34", "bulletinFamily": "unix", "cvelist": ["CVE-2018-3977", "CVE-2018-3839"], "description": "This update for SDL2_image fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-3839: Fixed an exploitable code execution vulnerability that\n existed in the XCF image rendering functionality of the Simple\n DirectMedia Layer (bsc#1089087).\n - CVE-2018-3977: Fixed a possible code execution via creafted XCF image\n that could have caused a heap overflow (bsc#1114519).\n\n", "edition": 1, "modified": "2018-11-24T18:14:25", "published": "2018-11-24T18:14:25", "id": "OPENSUSE-SU-2018:3896-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00045.html", "title": "Security update for SDL2_image (moderate)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talosblog": [{"lastseen": "2018-03-02T20:51:14", "bulletinFamily": "blog", "cvelist": ["CVE-2017-12122", "CVE-2017-14440", "CVE-2017-14441", "CVE-2017-14442", "CVE-2017-14448", "CVE-2017-14449", "CVE-2017-14450"], "description": "## Overview\n\n \n \nTalos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low-level access to audio, keyboard, mouse, joystick and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games, including Valve's award-winning catalog, and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. Simple DirectMedia Layer has released a new version of sdl image, 2.0.3 to address this issue, which can be downloaded [here](<https://www.libsdl.org/projects/SDL_image/>). Talos recommends installing this update as quickly as possible on affected systems. \n \n \n\n\n## Details\n\n \n \n_Discovered by Lilith Wyatt of Cisco Talos_ \n \n[TALOS-2017-0488/CVE-2017-12122](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0488>) - **Simple DirectMedia Layer SDL2_Image IMG_LoadLBM_RW Code Execution Vulnerability** \n** \n**An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n[TALOS-2017-0489/CVE-2017-14440](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489>) - **Simple DirectMedia Layer SDL2_image ILBM CMAP Parsing Code Execution Vulnerability** \n \nAn exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n \n[TALOS-2017-0490/CVE-2017-14441](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0490>) - **Simple DirectMedia Layer SDL2_image ICO Pitch Handling Code Execution Vulnerability** \n \nAn exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n \n[TALOS-2017-0491/CVE-2017-14442](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0491>) - **Simple DirectMedia Layer SDL2_image Image Palette Population Code Execution Vulnerability** \n \nAn exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n \n[TALOS-2017-0497/CVE-2017-14448](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0497>) - **Simple DirectMedia Layer SDL2_image load_xcf_tile_rle Decompression Code Execution Vulnerability** \n \nAn exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n \n[TALOS-2017-0498/CVE-2017-14449](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0498>) - **Simple DirectMedia Layer SDL2_image do_layer_surface Double-Free Vulnerability** \n \nAn exploitable code Double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n[TALOS-2017-0499/CVE-2017-14450](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0499>) - **Simple DirectMedia Layer SDL2_Image LWZ Decompression Buffer Overflow Vulnerability** \n \nAn exploitable code execution vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability. \n \n\n\n## Coverage\n\n \n \nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: \n \n45019-45022, 45025-45026, 45033-45034, 45047-45048 \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=d9EVyUXTblY:RlqoPGAYUVo:yIl2AUoC8zA>)\n\n", "modified": "2018-03-02T18:38:13", "published": "2018-03-01T13:21:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/d9EVyUXTblY/vulnerability-spotlight-simple.html", "id": "TALOSBLOG:B432A382E9C35E819CFB15B6830B754F", "type": "talosblog", "title": "Vulnerability Spotlight: Simple DirectMedia Layer\u2019s SDL2_Image", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-05-22T09:20:19", "bulletinFamily": "blog", "cvelist": ["CVE-2018-3837", "CVE-2018-3838", "CVE-2018-3839"], "description": "_Discovered by Lilith Wyatt of Cisco Talos_ \n \n\n\n### Overview\n\n \n \nTalos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve's award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found [here](<https://www.libsdl.org/download-2.0.php>). \n \n\n\n### [TALOS-2018-0519 ](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519>) \\- Simple DirectMedia Layer SDL2_Image IMG_LoadPCX_RW Information Disclosure Vulnerability (CVE-2018-3837)\n\n \n \nAn exploitable vulnerability exists in the PCX image rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability. \n \n\n\n### [TALOS-2018-0520](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520>) \\- Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle Information Disclosure Vulnerability (CVE-2018-3838)\n\n \n \nExploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. \n \n\n\n### [TALOS-2018-0521](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521>) \\- Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle bpp Code Execution Vulnerability (CVE-2018-3839)\n\n \n \nExploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. \n \n\n\n### Coverage\n\n \n \nThe following Snort rules will detect exploitation attempts. Note that additional rules may be \n \nreleased at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: 45017-45018, 45599-45600,45605-45606 \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=R0Kel4TM3T4:ce5-fG9PuzU:yIl2AUoC8zA>)\n\n", "modified": "2018-04-11T17:21:53", "published": "2018-04-11T09:15:00", "id": "TALOSBLOG:12FD65E00A8CA808EFB736D2729B4F5D", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/R0Kel4TM3T4/simple-direct-media-layer-vulnerabilities.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-04T09:33:42", "bulletinFamily": "blog", "cvelist": ["CVE-2017-2887", "CVE-2017-2888"], "description": "Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP. <br /><br />An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.<br /><br />Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.<br /><a name='more'></a><br /><h2>Vulnerability Details</h2>Both vulnerabilities highlighted in this post were identified by <a href=\"http://blogs.cisco.com/author/YvesYounan\">Yves Younan</a>.<br /><h3>CVE-2017-2887/TALOS-2017-0394 - Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability</h3><br />A buffer overflow <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0394\">vulnerability</a> has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests due to insufficient validation of data read from a file and subsequent use of the data. In this case, the `id` and `length` attributes read from an XCF image file are used without validation, potentially resulting in a stack-based buffer overflow.<br /><br /><h3>CVE-2017-2888/TALOS-2017-0395 - Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability</h3><br />An integer overflow <a href=\"https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395\">vulnerability</a> has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests when creating a new RGB surface via a call to the `CreateRGBSurface` function. A sufficiently large width and height value passed to this function could cause a multiplication operation to overflow, thus resulting in too little memory being allocated. Subsequent writes would then be out-of-bounds.<br /><br />For the full technical details of these vulnerabilities, please visit the Vulnerability Reports <a href=\"https://www.talosintelligence.com/vulnerability_info\">portal</a> on our website.<br /><br /><h2>Coverage</h2>Talos has released the following Snort rules to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.<br /><br />Snort Rules: 43855-43856, 43858, 43860<div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=QgReFDPD7iU:p-SgMVIaoZc:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/QgReFDPD7iU\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-10-10T14:57:54", "published": "2017-10-10T07:56:00", "id": "TALOSBLOG:4F92D3C486338065D12BD3E18C270668", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/QgReFDPD7iU/sdl-vulnerabilities.html", "title": "Vulnerability Spotlight: Arbitrary Code Execution Bugs in Simple DirectMedia Layer Fixed", "type": "talosblog", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2020-10-03T13:07:35", "description": "An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-14448", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14448"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-14448", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14448", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:35", "description": "An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-14440", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14440"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-14440", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14440", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:35", "description": "A buffer overflow vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker can display an image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 7.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 4.2}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-14450", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14450"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-14450", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14450", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:35", "description": "An exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-14441", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14441"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-14441", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14441", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:35", "description": "An exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-14442", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14442"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-14442", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14442", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:33", "description": "An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-12122", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12122"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-12122", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12122", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:42", "description": "An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-10-11T18:29:00", "title": "CVE-2017-2887", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2887"], "modified": "2020-05-22T15:12:00", "cpe": ["cpe:/a:libsdl:sdl_image:2.0.1", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-2887", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2887", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable information vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-04-10T21:29:00", "title": "CVE-2018-3838", "type": "cve", "cwe": ["CWE-125", "CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3838"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-3838", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3838", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-10T21:29:00", "title": "CVE-2018-3839", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3839"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-3839", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3839", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:21", "description": "An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-04-10T21:29:00", "title": "CVE-2018-3837", "type": "cve", "cwe": ["CWE-125", "CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3837"], "modified": "2020-07-28T15:42:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/a:libsdl:sdl_image:2.0.2", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-3837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-3837", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:libsdl:sdl_image:2.0.2:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T11:55:47", "description": "### Summary\r\nAn exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nSimple DirectMedia Layer SDL_image 2.0.1\r\n\r\n### Product URLs\r\nhttps://www.libsdl.org/projects/SDL_image/\r\n\r\n### CVSSv3 Score\r\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-121: Stack-based Buffer Overflow\r\n\r\n### Details\r\nSDL_image is a library that handles image loading for the Simple DirectMedia Layer (SDL) library. SDL is a cross-platform library that is designed to provide low-level access to various hardware using OpenGL and Direct3D. The various users of the library include games, video playback software (including VLC), and emulators.\r\n\r\nA vulnerability exits in the SDL_image library's handling of XCF images. When an XCF image is read, its properties will be read from the file and used directly in a read operation, potentially resulting in a stack-based buffer overflow. This problem occurs in the read_xcf_property function of the IMG_xcf.c file:\r\n```\r\n253 static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {\r\n254 prop->id = SDL_ReadBE32 (src);\r\n255 prop->length = SDL_ReadBE32 (src);\r\n...\r\n261 switch (prop->id) {\r\n...\r\n275 case PROP_COMPRESSION:\r\n276 case PROP_COLOR:\r\n277 SDL_RWread (src, &prop->data, prop->length, 1);\r\n278 break;\r\n...\r\n```\r\n\r\nAt line 254, it will read the id of the property from the file and then at line 255, it will read the length of the property. This length will then be used at line 277 to copy data from `src` into `prop->data` which is 24 bytes in length, causing a buffer overflow if the length provided in the file is larger than 24.\r\n\r\n### Mitigation\r\nAdding a check to ensure that prop->length <= sizeof(prop->data) would fix the issue:\r\n```\r\n--- IMG_xcf.c.orig 2017-07-28 10:39:49.983264935 -0700\r\n+++ IMG_xcf.c 2017-07-28 10:43:42.664540348 -0700\r\n@@ -251,6 +251,7 @@\r\n\r\n\r\n static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {\r\n+ unsigned int len;\r\nprop->id = SDL_ReadBE32 (src);\r\nprop->length = SDL_ReadBE32 (src); \r\n\r\n@@ -274,7 +275,11 @@\r\n break;\r\n case PROP_COMPRESSION:\r\ncase PROP_COLOR:\r\n- SDL_RWread (src, &prop->data, prop->length, 1);\r\n+ if (prop->length>sizeof(prop->data))\r\n+ len = sizeof(prop->data);\r\n+ else\r\n+ len = prop->length;\r\n+ SDL_RWread (src, &prop->data, len, 1);\r\n break;\r\n case PROP_VISIBLE:\r\n prop->data.visible = SDL_ReadBE32 (src);\r\n```\r\n\r\n### Timeline\r\n2017-10-06 - Vendor Disclosure\r\n2017-10-10 - Public Release", "published": "2017-11-06T00:00:00", "type": "seebug", "title": "Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability(CVE-2017-2887)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-2887"], "modified": "2017-11-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96794", "id": "SSV:96794", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2887", "CVE-2018-3837", "CVE-2018-3977"], "description": "Simple DirectMedia Layer (SDL2) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. This package contains a simple library for loading images of various formats (BMP, PPM, PCX, GIF, JPEG, PNG) as SDL2 surfaces. ", "modified": "2018-11-15T02:30:41", "published": "2018-11-15T02:30:41", "id": "FEDORA:E3A7760F6011", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: mingw-SDL2_image-2.0.4-1.fc28", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2887", "CVE-2018-3837", "CVE-2018-3977"], "description": "Simple DirectMedia Layer (SDL2) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. This package contains a simple library for loading images of various formats (BMP, PPM, PCX, GIF, JPEG, PNG) as SDL2 surfaces. ", "modified": "2018-11-15T03:16:30", "published": "2018-11-15T03:16:30", "id": "FEDORA:D7BA9659EBC2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: mingw-SDL2_image-2.0.4-1.fc29", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2887"], "description": "Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. This package contains a simple library for loading images of various formats (BMP, PPM, PCX, GIF, JPEG, PNG) as SDL surfaces. ", "modified": "2017-10-15T21:33:40", "published": "2017-10-15T21:33:40", "id": "FEDORA:BA2156076D19", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: SDL2_image-2.0.1-8.fc27", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2887"], "description": "Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. This package contains a simple library for loading images of various formats (BMP, PPM, PCX, GIF, JPEG, PNG) as SDL surfaces. ", "modified": "2017-10-19T15:21:44", "published": "2017-10-19T15:21:44", "id": "FEDORA:3DF646078C26", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: SDL2_image-2.0.1-8.fc26", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2887"], "description": "Simple DirectMedia Layer (SDL) is a cross-platform multimedia library designed to provide fast access to the graphics frame buffer and audio device. This package contains a simple library for loading images of various formats (BMP, PPM, PCX, GIF, JPEG, PNG) as SDL surfaces. ", "modified": "2017-10-19T19:21:05", "published": "2017-10-19T19:21:05", "id": "FEDORA:79E9C6125E25", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: SDL2_image-2.0.1-8.fc25", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "talos": [{"lastseen": "2020-07-01T21:25:30", "bulletinFamily": "info", "cvelist": ["CVE-2017-14448"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0497\n\n## Simple DirectMedia Layer SDL2_image load_xcf_tile_rle Decompression Code Execution Vulnerability\n\n##### March 1, 2018\n\n##### CVE Number\n\nCVE-2017-14448\n\n### Summary\n\nAn exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122: Heap-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen parsing and storing an XCF file (the native file type for Gimp), the LibSDL2 library implements a custom RLE inflater for the compressed XCF data. The code that handlese this is listed below:\n \n \n //IMG_xcf.c\n static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, int x, int y) \n \tunsigned char * load, * t, * data, * d;\n \tUint32 reallen;\n \t\tint i, size, count, j, length;\n \t\tunsigned char val;\n \n\nt = load = (unsigned char *) SDL_malloc (len); //[1] reallen = SDL_RWread (src, t, 1, len); //[2] \n \n \n \tdata = (unsigned char *) SDL_malloc (x*y*bpp); //[3]\n \t[...]\n \n\nFrom the above, it should be noted that the `bpp`,`x`, and `y` parameters are all under the file\u2019s control, and also that the `len` parameter is calculated from `x*y*6`. At [1], memory is allocated to read in the compressed RLE data at [2]. Interestingly, the reallen parameter is never checked, so if the read fails, this RLE decompression will occur on the bytes already located in memory. At [3], space is allocated for the decompressed pixel data to be written. As expected, the size is the dimensions multiplied by the bytes-per-pixel. The code then proceeds to loop and populate the pixel data in the new buffer. Continuing from the previous code:\n \n \n [...]\n data = (unsigned char *) SDL_malloc (x*y*bpp);\n for (i = 0; i < bpp; i++) { //[1]\n \t\td = data + i; //[2]\n \t\tsize = x*y; \n \t\tcount = 0;\n \n \t\twhile (size > 0) { //size == amount of pixels (=>total size == x*y*bpp) //[3]\n [...]\n \n\nThe outer loop at [1] designates that it is writing to the i\u2019th byte for each pixel. Thus, if there are 8 bytes per pixel, the loop is going to be writing to the 0th,8th,16th\u2026. N_8th byte for the array of pixels, which is done for optimization purposes. The \u2018d\u2019 variable at [2] will be the pointer used to write into the destination, and the \u2018size\u2019 variable at [3] is used to determine if every N_bbp\u2019th byte has been written to or not. Continuing on from this block:\n \n \n [...]\n while (size > 0) { //size == amount of pixels (=>total size == x*y*bpp) \n \t\tval = *t++; // [1]\n \t\tlength = val;\n \n \t\tif (length >= 128) { // Cast unsigned char => signed char\n \t\t\tlength = 255 - (length - 1); \n \t\t\tif (length == 128) { // [2]\n \t\t\t\tlength = (*t << 8) + t[1];\n \t\t\t\tt += 2;\n \t\t\t}\n \n [\u2026]\n \n\nUsing the \u2018size\u2019 variable to determine how many pixels have been written to, the code starts to read in the RLE compressed data and write to the newly allocated memory at \u2018data\u2019. The first byte read at [1], \u2018length\u2019, is used to determine how many pixels to write into the image. There are three different cases for this byte, the above code covers the cases of \u2018length\u2019 &gt;= 0x80. If \u2018length\u2019 &gt; 0x80, then the length is two\u2019s complimented and the program assumes that the following data has not been compressed, and writes in different consecutive bytes. For example, if the following byte sequence was first read in, 0xFE 0xAA 0xBB, then the program would write 0xAA to the i\u2019th byte of the allocated image memory, and 0xBB to the (x*bpp)+i byte, for x in range(0,length). After this, the program would look for another \u2018length\u2019 byte, since (0xFF \u2013 (0xFE-1)) == 2.\n\nIf the \u2018length\u2019 byte is 0x80, this designates that the program must read in the next two bytes as the length instead. Thus, for the byte sequence 0x80 0x30 0x30 0xAA 0xBB\u2026 The program would read in 0x3030 as the amount of bytes to write, and then write 0xAA to the i\u2019th byte, 0xBB to the (length_bpp)+i byte and so forth, until it writes 0x3030 bytes, ending at data+(0x3030_bpp)+i.\n\nIn cases where \u2018length\u2019 &lt; 0x80, it\u2019s almost the same, except that the program assumes a compressed string of pixel data. Thus, for a byte sequence of 0x7f 0x30 0x30 0xAA, the program would write 0x30 to i\u2019th byte of the first 0x7f pixels, and then 0xAA to the i\u2019th byte of the next 0x30 pixels.\n \n \n count += length; // not used, lol\n \tsize -= length; // [1] \n \n \twhile (length-- > 0) { // [2] \n \t\t*d = *t++;\n \t\td += bpp;\n }\n \n\nBut before all this writing occurs at [2], after the bytes have been parsed, the size variable is decremented by the length variable at [1]. Remember that the \u2018size variable is used to determine if the program should use to continue writing. Unfortunately, there are no checks in between the size subtraction and the data writing, so if the length variable goes past the total size of the allocated buffer, the write will still occur, resulting in a heap-based overflow.\n\n### Crash Information\n\nProgram received signal SIGSEGV, Segmentation fault. 0x00007ffff784a196 in load_xcf_tile_rle (src=0xc63b00, len=0x309b, bpp=0x3, x=0x40, y=0x40) at IMG_xcf.c:510 warning: Source file is more recent than executable. 510 size -= length; \u2014\u2014\u2014\u2014\u2014[ registers ]\u2014- $rax : 0x0000000000c8d000 $rbx : 0x0000000000000000 $rcx : 0x00007ffff781f620 -&gt; 0x0000000100000000 $rdx : 0x0000000000000000 $rsp : 0x00007fffffffde80 -&gt; 0x00007fffffffdef0 -&gt; 0x00007fffffffdfa0 -&gt; 0x00007fffffffe060 -&gt; 0x00007fffffffe0a0 -&gt; 0x00007fffffffe0d0 -&gt; 0x00007fffffffe110 -&gt; 0x0000000000000000 $rbp : 0x00007fffffffdef0 -&gt; 0x00007fffffffdfa0 -&gt; 0x00007fffffffe060 -&gt; 0x00007fffffffe0a0 -&gt; 0x00007fffffffe0d0 -&gt; 0x00007fffffffe110 -&gt; 0x0000000000000000 $rsi : 0x0000000000000039 $rdi : 0x00007ffff7dd4540 -&gt; 0x000000000000003a (\u201c:\u201d?) $rip : 0x00007ffff784a196 -&gt; &lt;load_xcf_tile_rle+279&gt; mov BYTE PTR [rax], dl $r8 : 0x0000000000000003 $r9 : 0x0000000000c656f0 -&gt; 0x4220308041203080 $r10 : 0x000000000000023a $r11 : 0x0000000000000000 $r12 : 0x0000000000400a10 -&gt; &lt;_start+0&gt; xor ebp, ebp $r13 : 0x00007fffffffe1f0 -&gt; 0x0000000000000002 $r14 : 0x0000000000000000 $r15 : 0x0000000000000000 $eflags: [carry parity adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification] \u2014\u2014\u2014\u2014\u2014\u2014-[ stack ]\u2014- 0x00007fffffffde80|+0x00: 0x00007fffffffdef0 -&gt; 0x00007fffffffdfa0 -&gt; 0x00007fffffffe060 -&gt; 0x00007fffffffe0a0 -&gt; 0x00007fffffffe0d0 -&gt; 0x00007fffffffe110 -&gt; 0x0000000000000000 &lt;-$rsp 0x00007fffffffde88|+0x08: 0x0000004000000040 (\u201c@\u201d?) 0x00007fffffffde90|+0x10: 0x0000309b00000003 0x00007fffffffde98|+0x18: 0x0000000000c63b00 -&gt; 0x00007ffff7aace48 -&gt; &lt;stdio_size+0&gt; push rbp 0x00007fffffffdea0|+0x20: 0x0000000000000000 0x00007fffffffdea8|+0x28: 0x80007ffff74ec97d 0x00007fffffffdeb0|+0x30: 0x0000000000c6d520 -&gt; 0x00307f0080810041 (\u201cA\u201d?) 0x00007fffffffdeb8|+0x38: 0x00000010f7aacf03 \u2014\u2014\u2013[ code:i386:x86-64 ]\u2014- 0x7ffff784a183 &lt;load_xcf_tile_rle+260&gt; mov rax, QWORD PTR [rbp-0x8] 0x7ffff784a187 &lt;load_xcf_tile_rle+264&gt; lea rdx, [rax+0x1] 0x7ffff784a18b &lt;load_xcf_tile_rle+268&gt; mov QWORD PTR [rbp-0x8], rdx 0x7ffff784a18f &lt;load_xcf_tile_rle+272&gt; movzx edx, BYTE PTR [rax] 0x7ffff784a192 &lt;load_xcf_tile_rle+275&gt; mov rax, QWORD PTR [rbp-0x10] -&gt;0x7ffff784a196 &lt;load_xcf_tile_rle+279&gt; mov BYTE PTR [rax], dl 0x7ffff784a198 &lt;load_xcf_tile_rle+281&gt; mov eax, DWORD PTR [rbp-0x60] 0x7ffff784a19b &lt;load_xcf_tile_rle+284&gt; cdqe \n0x7ffff784a19d &lt;load_xcf_tile_rle+286&gt; add QWORD PTR [rbp-0x10], rax 0x7ffff784a1a1 &lt;load_xcf_tile_rle+290&gt; mov eax, DWORD PTR [rbp-0x24] 0x7ffff784a1a4 &lt;load_xcf_tile_rle+293&gt; lea edx, [rax-0x1] \u2014-[ source:IMG_xcf.c+510 ]\u2014- 506 t += 2; 507 } 508 \n509 count += length; // size=-0xc3f0L, length=0x2afaL -&gt; 510 size -= length; 511 \n512 while (length\u2013 &gt; 0) { //when we overstep, length == 0x27. 513 *d = *t++; 514 d += bpp; \u2014\u2014\u2014\u2014\u2014\u2013[ threads ]\u2014- [#0] Id 5, Name: \u201cimg_read_plain\u201d, stopped, reason: SIGSEGV [#1] Id 4, Name: \u201cimg_read_plain\u201d, stopped, reason: SIGSEGV [#2] Id 3, Name: \u201cimg_read_plain\u201d, stopped, reason: SIGSEGV [#3] Id 2, Name: \u201cimg_read_plain\u201d, stopped, reason: SIGSEGV [#4] Id 1, Name: \u201cimg_read_plain\u201d, stopped, reason: SIGSEGV \u2014\u2014\u2014\u2014\u2014\u2014-[ trace ]\u2014- [#0] 0x7ffff784a196-&gt;Name: load_xcf_tile_rle(src=0xc63b00, len=0x309b, bpp=0x3, x=0x40, y=0x40) [#1] 0x7ffff784a55d-&gt;Name: do_layer_surface(surface=0xc4fae0, src=0xc63b00, head=0xc4f020, layer=0x818d30, load_tile=0x7ffff784a07f ) [#2] 0x7ffff784ae24-&gt;Name: IMG_LoadXCF_RW(src=0xc63b00) [#3] 0x7ffff78287ef-&gt;Name: IMG_LoadTyped_RW(src=0xc63b00, freesrc=0x1, type=0x7fffffffe4eb \"(x_ x)\") [#4] 0x7ffff78285e0-&gt;Name: IMG_Load(file=0x7fffffffe4ea \"(x_ x)\") [#5] 0x400b85-&gt;Name: main(argc=0x2, argv=0x7fffffffe1f8) \\------------------------------------------------------------------------------------------------------------------------\n\n### Timeline\n\n2017-11-28 - Vendor Disclosure \n2018-03-01 - Public Release\n\n##### Credit\n\nDiscovered by Lilith (&gt;;_;)&gt; of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0498\n\nPrevious Report\n\nTALOS-2017-0491\n", "edition": 6, "modified": "2018-03-01T00:00:00", "published": "2018-03-01T00:00:00", "id": "TALOS-2017-0497", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0497", "title": "Simple DirectMedia Layer SDL2_image load_xcf_tile_rle Decompression Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:24:53", "bulletinFamily": "info", "cvelist": ["CVE-2017-14440"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0489\n\n## Simple DirectMedia Layer SDL2_image ILBM CMAP Parsing Code Execution Vulnerability\n\n##### March 1, 2018\n\n##### CVE Number\n\nCVE-2017-14440 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators, including \u201cAngry Birds\u201d, \u201cUnreal Tournament\u201d, \u201cVisualBoyAdvance\u201d and \u201cVLC\u201d. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library subcomponent deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen reading an ILBM file to be displayed, as per the ILBM file format (https://en.wikipedia.org/wiki/ILBM#BMHD:_Bitmap_Header)[ https://en.wikipedia.org/wiki/ILBM#BMHD:_Bitmap_Header], a \u201cCMAP\u201d attribute must be parsed. LibSDL2_Image does this by doing a memcmp of four bytes with the current offset into the file read, and then reading the following bytes into the colormap variable with the following code:\n\nif ( !SDL_memcmp( id, \u201cCMAP\u201d, 4 ) ) /* palette ( Color Map ) */ \n \n \n \t{\n \tif ( !SDL_RWread( src, &colormap, size, 1 ) )\n \n\nThe SDL_Rwread function is essentially a call to fread as such:\n \n \n nread = fread(ptr, size, maxnum, context->hidden.stdio.fp);\n \n\nUnfortunately, the size variable, which determines how much is read from the image file into the colormap stack variable, has no checks on it whatsoever.\n \n \n if ( !SDL_RWread( src, &size, 4, 1 ) ) [1]\n { \n error=\"error reading IFF chunk size\";\n goto done;\n }\n bytesloaded = 0;\n size = SDL_SwapBE32( size ); [2]\n \n\nIt\u2019s taken as 4 bytes straight from the file [1] and then reversed in byte order [2]. As mentioned before, once a \u201cCMAP\u201d tag is found inside of the file, it will attempt to copy \u2018size\u2019 bytes into the &amp;colormap, which is defined as such:\n \n \n SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src )\n {\n \t Sint64 start;\n \t SDL_Surface *Image;\n \tUint8 id[4], pbm, colormap[MAXCOLORS*3], *MiniBuf, *ptr, count, color, msk;\n \n\nWith the MAXCOLOR macro defined as 255. Thus, for any \u2018size\u2019 variable greater than 0x300, there will be an unrestricted stack based overflow with attacker controlled data.\n\n### Crash Information\n \n \n --------------------------------------------------------------------------[ registers ]----\n $rax : 0x0000000000000000\n $rbx : 0x0000000000000000\n $rcx : 0x00007ffff7b95fa2 -> 0x7720726f72724500\n $rdx : 0xd4ff668104110000\n $rsp : 0x00007fffffffdc78 -> 0x00007ffff7afcd0e -> <SDL_free_REAL+37> mov esi, 0xffffffff\n $rbp : 0x00007fffffffdc90 -> 0x00007fffffffdcb0 -> 0x00007fffffffe0a0 -> 0x40fd3a95294020c4\n $rsi : 0x00007ffff7b95f85 -> \"Error reading from datastream\"\n $rdi : 0xd4ff668104110000\n $rip : 0x00007ffff74f6614 -> <free+20> mov rax, QWORD PTR [rdi-0x8]\n $r8 : 0x0000000000000004\n $r9 : 0x00007ffff7fd6700 -> 0x00007ffff7fd6700 -> [loop detected]\n $r10 : 0x00007fffffffda80 -> 0x0000000000000000\n $r11 : 0x00007ffff7aa0ad0 -> <SDL_free+0> push rbp\n $r12 : 0x0000000000400a10 -> <_start+0> xor ebp, ebp\n $r13 : 0x00007fffffffe230 -> 0xfbaffffeffa7a323\n $r14 : 0x0000000000000000\n $r15 : 0x0000000000000000\n $eflags: [carry PARITY adjust zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]\n ------------------------------------------------------------------------------[ stack ]----\n 0x00007fffffffdc78|+0x00: 0x00007ffff7afcd0e -> <SDL_free_REAL+37> mov esi, 0xffffffff <-$rsp\n 0x00007fffffffdc80|+0x08: 0x0000000000000001\n 0x00007fffffffdc88|+0x10: 0xd4ff668104110000\n 0x00007fffffffdc90|+0x18: 0x00007fffffffdcb0 -> 0x00007fffffffe0a0 -> 0x40fd3a95294020c4 <-$rbp\n 0x00007fffffffdc98|+0x20: 0x00007ffff7aa0aec -> <SDL_free+28> leave \n 0x00007fffffffdca0|+0x28: 0x00007ffff7fd6700 -> 0x00007ffff7fd6700 -> [loop detected]\n 0x00007fffffffdca8|+0x30: 0xd4ff668104110000\n 0x00007fffffffdcb0|+0x38: 0x00007fffffffe0a0 -> 0x40fd3a95294020c4\n -------------------------------------------------------------------[ code:i386:x86-64 ]----\n 0x7ffff74f6607 <free+7> mov rax, QWORD PTR [rax]\n 0x7ffff74f660a <free+10> test rax, rax\n 0x7ffff74f660d <free+13> jne 0x7ffff74f6682 <__GI___libc_free+130>\n 0x7ffff74f660f <free+15> test rdi, rdi\n 0x7ffff74f6612 <free+18> je 0x7ffff74f6680 <__GI___libc_free+128>\n ->0x7ffff74f6614 <free+20> mov rax, QWORD PTR [rdi-0x8]\n 0x7ffff74f6618 <free+24> lea rsi, [rdi-0x10]\n 0x7ffff74f661c <free+28> test al, 0x2\n 0x7ffff74f661e <free+30> jne 0x7ffff74f6640 <__GI___libc_free+64>\n 0x7ffff74f6620 <free+32> test al, 0x4\n 0x7ffff74f6622 <free+34> lea rdi, [rip+0x328ff7] # 0x7ffff781f620 <main_arena>\n ----------------------------------------------------------------------------[ threads ]----\n [#0] Id 5, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#1] Id 4, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n #2] Id 3, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#3] Id 2, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#4] Id 1, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n ------------------------------------------------------------------------------[ trace ]----\n #0 __GI___libc_free (mem=0xd4ff668104110000) at malloc.c:2929\n #1 0x00007ffff7afcd0e in SDL_free_REAL (ptr=0xd4ff668104110000) at /root/work_work/triages/libsdl/SDL2-2.0.7/src/stdlib/ \n SDL_malloc.c:5372\n #2 0x00007ffff7aa0aec in SDL_free (a=0xd4ff668104110000) at /root/work_work/triages/libsdl/SDL2-2.0.7/src/dynapi/ \n SDL_dynapi_procs.h:408\n #3 0x00007ffff782da5f in IMG_LoadLBM_RW (src=0xc4da70) at IMG_lbm.c:466\n #4 0xffffaefdff7efe68 in ?? ()\n #5 0x252180a6bdd00dad in ?? ()\n #6 0x3a75d972bccbffdc in ?? ()\n #7 0x0000d2ffae89353f in ?? ()\n #8 0xff6f8104110038fe in ?? ()\n #9 0xae561f5bbdf6a6ba in ?? ()\n #10 0x95d1f6f57ebfd5bf in ?? ()\n #11 0xfdefeffefdfdfb8b in ?? ()\n \n\n### Timeline\n\n2017-11-28 - Vendor Disclosure \n2018-03-01 - Public Release\n\n##### Credit\n\nDiscovered by Lilith &lt;(^~^)&gt; of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0001\n\nPrevious Report\n\nTALOS-2017-0510\n", "edition": 9, "modified": "2018-03-01T00:00:00", "published": "2018-03-01T00:00:00", "id": "TALOS-2017-0489", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489", "title": "Simple DirectMedia Layer SDL2_image ILBM CMAP Parsing Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-14450"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0499\n\n## Simple DirectMedia Layer SDL2_Image LWZ Decompression Buffer Overflow Vulnerability\n\n##### March 1, 2018\n\n##### CVE Number\n\nCVE-2017-14450 \n\n### Summary\n\nA buffer overflow vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker can display an image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen reading in a GIF image, LibSDL2_Image allocates a buffer of appropriate size and then proceeds to populate the buffer with the appropriate pixel data, as expected. When dealing with GIF images, the color data is LZW compressed, and decompression must naturally occur before the image data buffer can be populated. For an in-depth overview of LZW, please refer to <http://giflib.sourceforge.net/whatsinagif/lzw_image_data.html>.\n\nNeedless to say, the code for this is a little complex, so it will hopefully broken down into easier pieces below. The code starts here:\n \n \n // IMG_gif.c:541\n static Image * ReadImage(SDL_RWops * src, int len, int height, int cmapSize,\n \t unsigned char cmap[3][MAXCOLORMAPSIZE],\n \tint gray, int interlace, int ignore)\n {\n \t\tImage *image;\n \t\tunsigned char c;\n \t\tint i, v;\n \t\tint xpos = 0, ypos = 0, pass = 0;\n \n\n/* ** Initialize the compression routines */ \n \n \n \t\tif (!ReadOK(src, &c, 1)) {\n \t\t \tRWSetMsg(\"EOF / read error on image data\");\n \t\t\t return NULL;\n \t\t}\n \t\tif (LWZReadByte(src, TRUE, c) < 0) { \t\t//[1]\n \t\t\tRWSetMsg(\"error reading image\");\n \t\t\treturn NULL;\n \t[...]\n \t\timage = ImageNewCmap(len, height, cmapSize);\n \n \t\tfor (i = 0; i < cmapSize; i++)\n \t\t\tImageSetCmap(image, i, cmap[CM_RED][i],\n \n \tcmap[CM_GREEN][i], cmap[CM_BLUE][i]);\n \n \t\twhile ((v = LWZReadByte(src, FALSE, c)) >= 0) { //[2]\n \t\t\t#ifdef USED_BY_SDL\n \t\t\t((Uint8 *)image->pixels)[xpos + ypos * image->pitch] = v;\n \t\t\t#else\n \t\t\timage->data[xpos + ypos * len] = v;\n \t[...]\n \n\nThe ReadImage function decompresses the GIF image via the LWZReadBytes function called at [1] and [2]. At [1], the first call is just used to initialize the state of the LWZReadBytes function, and all of the static variables inside, this is what the \u2018TRUE\u2019 bool is used for. After this, LWZReadBytes is called inside of a loop at [2], to actually grab the data from the file and begin to populate the pixel data, whose code we will ignore, as the bug path leads into the LWZReadByte funtion:\n \n \n \tstatic int LWZReadByte(SDL_RWops *src, int flag, int input_code_size)\n {\n \t\tstatic int fresh = FALSE; \n \t\tint code, incode; \t\t\t\t\t //[1]\n \t\tstatic int code_size, set_code_size; \t\t\t //[2]\n \t\tstatic int max_code, max_code_size; \t\t \n \t\tstatic int firstcode, oldcode;\n \t\tstatic int clear_code, end_code;\n \t\tstatic int table[2][(1 << MAX_LWZ_BITS)]; \t //[4]\n \t\tstatic int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp; //[5]\n \t\tregister int i;\n \n \t\t/* Fixed buffer overflow found by Michael Skladnikiewicz */\n \t\tif (input_code_size > MAX_LWZ_BITS)\n \t\t return -1;\n \n \t\tif (flag) { //Flag => initialization\n \t[\u2026]\n \n\nif (sp &gt; stack) \n \n \n \t\t\treturn *--sp;\n \n \t\twhile ((code = GetCode(src, code_size, FALSE)) >= 0) { //[3]\n \n\nAs mentioned, the code is going to get somewhat complex here, so heres a quick overview of the more relevant variables above: At [1], the `code` is given, which describes the current LZW code. This can be a value in the range of (1, 1\u00abcode_size), which in this case is (0x1,0x200). This limit is enforced inside of the GetCode(src, code_size,FALSE) call at [3]. The table variable at [4] is used to store the known LZW code sequences, and is typically known as a LZW code table. The stack variable at [5] is used to store a stack of LZW sequences, with the `*sp` pointer being assigned to the address of \u2018stack\u2019 at initialization. Regardless of of all of this, the bug just mainly involves the following code segment:\n \n \n while ((code = GetCode(src, code_size, FALSE)) >= 0) {\n [...]\n // not clear code and not end code\n \twhile (code >= clear_code) { \t// [1]\n \t/* Guard against buffer overruns */\n \t\tif (code < 0 || code >= (1 << MAX_LWZ_BITS)) { //[2]\n \tRWSetMsg(\"invalid LWZ data\");\n \treturn -3;\n \t}\n \t*sp++ = table[1][code]; \t//[3]\n \tif (code == table[0][code])\n \t\tRWSetMsg(\"circular table entry BIG ERROR\");\n \tcode = table[0][code]; \t//[4]\n }\n \n\nAssuming that the LWZ code found is greater than the clear code (0x100) at [1], the decompression algorithm will start to unpack the LWZ codes into the LWZ stack, which is done at [3]. The underlying issue lies in that, even though there\u2019s a check on buffer overruns at [2], if we insert a value into table[0][code] such that (table[0][code] == code &amp;&amp; code &gt;= clear_code), then the while loop at [1] will never exit, and `*sp` will be continually advanced past the bounds of stack variable, causing an overflow.\n\nIt should be noted that there are quite a few restrictions to this OOB write, since the \u2018stack\u2019 variable is a static variable, the OOB write actually occurs in the global variable section in memory for the LibSDL2_image library, and not the stack itself, such that only other global library variables below \u2018stack\u2019 can be written.\n\nAlso, the values written can only be valid LWZ codes, such that the range is restricted to values (1,1\u00ab(code_size)), as mentioned before, which is (0x1,0x200). Also of note is that the pointer being incremented is a (int *) pointer, and not a (char *) pointer, so the values in memory will look as such (for code 0x77):\n \n \n <(^_^)> x/40gx sp-0x40\n 0x7ffff7a63f04: 0x0000007700000077 0x0000007700000077\n 0x7ffff7a63f14: 0x0000007700000077 0x0000007700000077\n 0x7ffff7a63f24: 0x0000007700000077 0x0000007700000077\n 0x7ffff7a63f34: 0x0000007700000077 0x0000007700000077\n \n\n### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x00007ffff782b552 in LWZReadByte (src=0xc63e70, flag=0x0, input_code_size=0x8) at IMG_gif.c:499\n 499 /* Guard against buffer overruns */\n ---------------[ registers ]----\n $rax : 0x00007ffff7a64000 -> 0x00010102464c457f\n $rbx : 0x0000000000000000\n $rcx : 0x00000000000044f4\n $rdx : 0x0000000000000077\n $rsp : 0x00007fffffffdb40 -> 0x0000000000000008\n $rbp : 0x00007fffffffdc70 -> 0x00007fffffffdcc0 -> 0x00007fffffffe050 -> 0x00007fffffffe090 -> 0x00007fffffffe0c0 -> 0x00007fffffffe100 -> \n 0x0000000000000000\n $rsi : 0x00007fffffffd880 -> \"circular table entry BIG ERROR\"\n $rdi : 0x0000000000000001\n $rip : 0x00007ffff782b552 -> <LWZReadByte+1002> mov DWORD PTR [rax], edx\n $r8 : 0x000000000000ffff\n $r9 : 0x65875f9a7a257d5e\n $r10 : 0x691bd05d945a5a55\n $r11 : 0x0000000000000206\n $r12 : 0x0000000000400a10 -> <_start+0> xor ebp, ebp\n $r13 : 0x00007fffffffe1e0 -> 0x0000000000000002\n $r14 : 0x0000000000000000\n $r15 : 0x0000000000000000\n $eflags: [carry parity adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]\n -------------------[ stack ]----\n 0x00007fffffffdb40|+0x00: 0x0000000000000008 <-$rsp\n 0x00007fffffffdb48|+0x08: 0x0000000000c63e70 -> 0x00007ffff7aace48 -> <stdio_size+0> push rbp\n 0x00007fffffffdb50|+0x10: 0x0000000000000080\n 0x00007fffffffdb58|+0x18: 0x0000000000000001\n 0x00007fffffffdb60|+0x20: 0x00007fffffffdb90 -> 0x00007fffffffdbe0 -> 0x00007fffffffdc20 -> 0x00007fffffffdc60 -> 0x00007fffffffdcc0 -> \n 0x00007fffffffe050 -> 0x00007fffffffe090\n 0x00007fffffffdb68|+0x28: 0x0000000000c28960 -> 0x0000000000000000\n 0x00007fffffffdb70|+0x30: 0x00007fffffffdb90 -> 0x00007fffffffdbe0 -> 0x00007fffffffdc20 -> 0x00007fffffffdc60 -> 0x00007fffffffdcc0 -> \n 0x00007fffffffe050 -> 0x00007fffffffe090\n 0x00007fffffffdb78|+0x38: 0x00007ffff7b59d50 -> <SDL_AllocBlitMap+23> mov QWORD PTR [rbp-0x8], rax\n --------[ code:i386:x86-64 ]---- 0x7ffff782b536 <LWZReadByte+974> movsxd rdx, edx 0x7ffff782b539 <LWZReadByte+977> add rdx, 0x1000 0x7ffff782b540 <LWZReadByte+984> lea rcx, [rdx*4+0x0] 0x7ffff782b548 <LWZReadByte+992> lea rdx, [rip+0x2282f1] # 0x7ffff7a53840 <table.9973> 0x7ffff782b54f <LWZReadByte+999> mov edx, DWORD PTR [rcx+rdx*1] ->0x7ffff782b552 <LWZReadByte+1002> mov DWORD PTR [rax], edx 0x7ffff782b554 <LWZReadByte+1004> mov eax, DWORD PTR [rbp-0x14] 0x7ffff782b557 <LWZReadByte+1007> cdqe 0x7ffff782b559 <LWZReadByte+1009> lea rdx, [rax*4+0x0] 0x7ffff782b561 <LWZReadByte+1017> lea rax, [rip+0x2282d8] # 0x7ffff7a53840 <table.9973> 0x7ffff782b568 <LWZReadByte+1024> mov eax, DWORD PTR [rdx+rax*1]\n ----[ source:IMG_gif.c+499 ]----\n 495 *sp++ = firstcode;\n 496 code = oldcode;\n 497 }\n 498 while (code >= clear_code) {\n -> 499 /* Guard against buffer overruns */\n 500 if (code < 0 || code >= (1 << MAX_LWZ_BITS)) {\n 501 RWSetMsg(\"invalid LWZ data\");\n 502 return -3;\n 503 }\n -----------------[ threads ]----\n [#0] Id 5, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#1] Id 4, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#2] Id 3, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#3] Id 2, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n [#4] Id 1, Name: \"img_read_plain\", stopped, reason: SIGSEGV\n -------------------[ trace ]----\n [#0] 0x7ffff782b552->Name: LWZReadByte(src=0xc63e70, flag=0x0, input_code_size=0x8)\n [#1] 0x7ffff782b9a2->Name: ReadImage(src=0xc63e70, len=0x200, height=0x200, cmapSize=0x100, cmap=0x7ffff7a53288 <GifScreen+8>, \n gray=0x0, interlace=0x0, ignore=0x0)\n [#2] 0x7ffff782ac66->Name: IMG_LoadGIF_RW(src=0xc63e70)\n [#3] 0x7ffff78287ef->Name: IMG_LoadTyped_RW(src=0xc63e70, freesrc=0x1, type=0x0)\n [#4] 0x7ffff78285e0->Name: IMG_Load(file=0x7fffffffe4e0 \"gif_crashes/0345ae792a4ed85e785571105a430417\")\n [#5] 0x400b85->Name: main(argc=0x2, argv=0x7fffffffe1e8)\n ------------------------------------------------------------------------------------------------------------------------\n \n\n### Timeline\n\n2017-11-27 - Vendor Disclosure \n2018-03-01 - Public Release\n\n##### Credit\n\nDiscovered by Lilith &lt;(x_x)&gt; of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0510\n\nPrevious Report\n\nTALOS-2017-0498\n", "edition": 6, "modified": "2018-03-01T00:00:00", "published": "2018-03-01T00:00:00", "id": "TALOS-2017-0499", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0499", "title": "Simple DirectMedia Layer SDL2_Image LWZ Decompression Buffer Overflow Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:26", "bulletinFamily": "info", "cvelist": ["CVE-2017-14441"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0490\n\n## Simple DirectMedia Layer SDL2_image ICO Pitch Handling Code Execution Vulnerability\n\n##### March 1, 2018\n\n##### CVE Number\n\nCVE-2017-14441 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n[https://www.libsdl.org/projects/SDL_image/](<https://www.libsdl.org/projects/SDL_image>)\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122: Heap-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen reading in an ICO file, in order to allocate enough space for the input, the dimensions of the image, as read from the image headers, will obviously be used. The interesting thing is that for a lot of image types, this is not simply (height * width), as one would expect, it\u2019s actually (width * pitch). Pitch is the distance in bytes between two memory addresses that represent the beginning of one bitmap line and the next, essentially resulting in: pitch = (width + padding), which is usually just done for alignment reasons.\n\nThe pitch is calculated inside of LibSDL with the following function:\n \n \n /*\n * Calculate the pad-aligned scanline width of a surface\n */\n int SDL_CalculatePitch(SDL_Surface * surface) {\n \tint pitch;\n \n \t/* Surface should be 4-byte aligned for speed */\n \tpitch = surface->w * surface->format->BytesPerPixel;\n \tswitch (surface->format->BitsPerPixel) {\n \t\tcase 1:\n \t\t\tpitch = (pitch + 7) / 8;\n \t\t\tbreak;\n \t\tcase 4:\n \t\t\tpitch = (pitch + 1) / 2;\n \t\t\tbreak;\n \t\tdefault:\n \t\t\tbreak;\n \t}\n \n \tpitch = (pitch + 3) & ~3; /* 4-byte aligning */\n \treturn (pitch);\n }\n \n\nIf we look at how the values `surface->w` and surface-&gt;format-&gt;BytesPerPixel are read in, we can see that there are not really any checks on the BytesPerPixel field:\n \n \n // SDL_pixels.c\n 528 SDL_InitFormat(format=0x2af7bb0, pixel_format=0x16362004) //[1]\n [...]\n 542 format->BitsPerPixel = bpp;\n 543 format->BytesPerPixel = (bpp + 7) / 8;\n \n [1] The bpp variable = pixel_format & 0x0000FF00\n \n\nOr the `surface->w` file (which is 4 bytes read straight from the image):\n \n \n 682\t/* Read the Win32 BITMAPINFOHEADER */\n 683\tbiSize = SDL_ReadLE32(src); //offset 0x16 in ICO file\n 684\tif (biSize == 40) {\n 685\t\tbiWidth = SDL_ReadLE32(src); //offset 0x1a...\n [\u2026]\n 741\tsurface =\n 742\t\tNSDL_CreateRGBSurface(0, biWidth, biHeight, 32, 0x00FF0000,\n \t0x0000FF00, 0x000000FF, 0xFF000000);\n \n\nThus, going back to how the pitch is generated:\n \n \n pitch = surface->w * surface->format->BytesPerPixel;\n \n\nWe can easily input a width and BytesPerPixel that cause an integer overflow, for example, if width == 0x40000020, and BytesPerPixel == 0x80, then the resulting pitch will be (0x2000001000 &amp; 0xFFFFFFFF), or 0x1000, since the pitch field is a 32-bit integer, resulting in a huge desync between the width and pitch variables, which will come into play in the following function:\n \n \n if (surface->w && surface->h) {\n \t/* Assumptions checked in surface_size_assumptions assert above */\n \tSint64 size = ((Sint64)surface->h * surface->pitch);\n \tif (size < 0 || size > SDL_MAX_SINT32) {\n \n\nThe above code is the only check on the resulting size of the pallet buffer. Notice that the pitch is used to generate the allocated buffer, and also that there is no check on the width of the surface. This results in the following allocation at src/video/SDL_surface.c+107:\n \n \n // 107 surface->pixels = SDL_malloc((size_t)size);\n \n <(^_^)> info reg rax\n rax 0x22a92b0 0x22a92b0\n \n <(^_^)> heap chunk 0x22a92b0\n Chunk(addr=0x22a92b0, size=0x1010, flags=PREV_INUSE)\n Chunk size: 4112 (0x1010)\n Usable size: 4104 (0x1008)\n Previous chunk size: 1702521171 (0x657a6953)\n PREV_INUSE flag: On\n IS_MMAPPED flag: Off\n NON_MAIN_ARENA flag: Off\n \n // Looking at the bytes in memory:\n <(^_^)> x/4gx $rax-0x10\n 0x22a92a0: 0x00000000657a6953 0x0000000000001011\n 0x22a92b0: 0x00007f999f25fca8 0x00007f999f25fca8\n // Start of next chunk (0x2b3de50)\n <(^_^)> x/4gx $rax-0x10+0x1010\n 0x22aa2b0: 0x0000068800000000 0x0000000000000291\n 0x22aa2c0: 0x00007f999f25f678 0x00007f999f25f678\n \n\nThe actual corruption of the heap is within the following loop:\n \n \n 761\tbits = (Uint8 *) surface->pixels + (surface->h * surface->pitch); //[1] \n [...]\n \n //IMG_bmp.c:780\n while (bits > (Uint8 *) surface->pixels) {\n \tbits -= surface->pitch;\n \tswitch (ExpandBMP) {\n \t\tcase 1:\n \t\tcase 4:\n \t\tcase 8:\n \t\t\t{\n \t\t\tUint8 pixel = 0;\n \t\t\tint shift = (8 - ExpandBMP);\n \t\t\tfor (i = 0; i < surface->w; ++i) { // [2]\n \t\t\t\tif (i % (8 / ExpandBMP) == 0) {\n \t\t\t\t\tif (!SDL_RWread(src, &pixel, 1, 1)) {\n \t\t\t\t\t\tIMG_SetError(\"Error reading from ICO\");\n \t\t\t\t\t\twas_error = SDL_TRUE;\n \t\t\t\t\t\tgoto done;\n \t\t\t\t\t}\n \t\t\t\t}\n \t\t\t*((Uint32 *) bits + i) = (palette[pixel >> shift]); // [3]\n \t\t\tpixel <<= ExpandBMP;\n \t\t}\n \t}\n \n\nStarting at the bottom of the pixel buffer [1], the image is read in backwards, as it attempts to unpack the raw data into the allocated buffer. Unfortunately, it uses the surface-&gt;w parameter [2] to determine how long each bitmap line is, which was never checked or validated. Thus, when the program actually writes the data, the counter variable `i` will eventually pass the allocated heap boundaries causing an OOB write at [3]. An example of this in action is given below:\n \n \n <(^_^)> x/4gx 0x22aa2b0 \n 0x22aa2b0: 0x0192394f41414141 0x01c2989401b54750 \n 0x22aa2c0: 0x00007f99019d4555 0x00007f999f25f678\n \n\nWhereby the heap metadata struct becomes controlled by the attacker (0x22aa2b0-&gt;0x22aa2c0 in this example).\n\n### Crash Information\n \n \n *** Error in `./img_read_plain': double free or corruption (!prev): 0x00000000022a92b0 ***\n \n Program received signal SIGABRT, Aborted.\n 0x0000000070000002 in ?? ()\n --------------------------------------------------------------------------[ registers ]----\n $rax : 0x0000000000000000 -> 0x0000000000000000\n $rbx : 0x00000000000000ea -> 0x00000000000000ea\n $rcx : 0xffffffffffffffff\n $rdx : 0x0000000000000006 -> 0x0000000000000006\n $rsp : 0x00000000681ffe00 -> 0x00007f999f820598 -> xor ecx, ecx\n $rbp : 0x00007ffebf1a9870 -> 0x00007ffebf1a9880 -> 0x3030303030303030 -> 0x3030303030303030 (\"00000000\"?)\n $rsi : 0x00000000000155c7 -> 0x00000000000155c7\n $rdi : 0x00000000000155c7 -> 0x00000000000155c7\n $rip : 0x0000000070000002 -> 0x0fc3050fc3050fc3 -> 0x0fc3050fc3050fc3\n $r8 : 0x3062323961323230 -> 0x3062323961323230 (\"022a92b0\"?)\n $r9 : 0x6f6974707572726f -> 0x6f6974707572726f (\"orruptio\"?)\n $r10 : 0x0000000000000008 -> 0x0000000000000008\n $r11 : 0x0000000000000246 -> 0x0000000000000246\n $r12 : 0x00007ffebf1a9680 -> 0x0000000000000000 -> 0x0000000000000000\n $r13 : 0x0000000000000007 -> 0x0000000000000007\n $r14 : 0x000000000000005b -> 0x000000000000005b\n $r15 : 0x00000000681fffa0 -> 0x00000000000000ea -> 0x00000000000000ea\n $eflags: [carry PARITY adjust ZERO sign trap INTERRUPT direction overflow resume virtualx86 identification]\n ------------------------------------------------------------------------------[ stack ]----\n 0x00000000681ffe00|+0x00: 0x00007f999f820598 -> xor ecx, ecx <-$rsp\n 0x00000000681ffe08|+0x08: 0x0000000000000000 -> 0x0000000000000000\n 0x00000000681ffe10|+0x10: 0x0000000000000000 -> 0x0000000000000000\n 0x00000000681ffe18|+0x18: 0x00007f999f81d0f5 -> 0x1f0f66c328c48348 -> 0x1f0f66c328c48348\n 0x00000000681ffe20|+0x20: 0x6f6974707572726f -> 0x6f6974707572726f\n 0x00000000681ffe28|+0x28: 0x0000000070000000 -> 0x050fc3050fc3050f -> 0x050fc3050fc3050f\n 0x00000000681ffe30|+0x30: 0x0000000000000000 -> 0x0000000000000000\n 0x00000000681ffe38|+0x38: 0x0000000000000000 -> 0x0000000000000000\n -------------------------------------------------------------------[ code:i386:x86-64 ]----\n ->0x70000002 ret \n 0x70000003 syscall \n 0x70000005 ret \n 0x70000006 syscall \n 0x70000008 ret \n 0x70000009 syscall \n ----------------------------------------------------------------------------[ threads ]----\n [#0] Id 1, Name: \"\", stopped, reason: SIGABRT\n ------------------------------------------------------------------------------[ trace ]----\n [#0] 0x70000002->ret \n [#1] 0x7f999f820598->xor ecx, ecx\n [#2] 0x7f999f81d0f5->add rsp, 0x28\n [#3] 0x7f999f81e108->mov rbx, rax\n [#4] 0x7f999f8205ca->mov rsp, rbx\n [#5] 0x7f999f8205f3->ret \n \n\n### Timeline\n\n2017-11-28 - Vendor Disclosure \n2018-03-01 - Public Release\n\n##### Credit\n\nDiscovered by Lilith &lt;(x_x)&gt; of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0491\n\nPrevious Report\n\nTALOS-2017-0488\n", "edition": 6, "modified": "2018-03-01T00:00:00", "published": "2018-03-01T00:00:00", "id": "TALOS-2017-0490", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0490", "title": "Simple DirectMedia Layer SDL2_image ICO Pitch Handling Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-20T21:21:29", "bulletinFamily": "info", "cvelist": ["CVE-2017-14442"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0491\n\n## Simple DirectMedia Layer SDL2_image Image Palette Population Code Execution Vulnerability\n\n##### March 1, 2018\n\n##### CVE Number\n\nCVE-2017-14442 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen reading in a BMP file, libSDL2_Image must populate a color palette object for the image. As per the BMP file format, one of the headers read in is the \u201cbiClrUsed\u201d field, which designates how many colors are within the color palette. This is read by the following code:\n\n//IMG_bmp.c:683 \n \n \n biSize = SDL_ReadLE32(src); //offset 0x16 in file\n if (biSize == 40) {\n \tbiWidth = SDL_ReadLE32(src); //0x1A\n \t \tbiHeight = SDL_ReadLE32(src); //0x1E \n \t \tbiPlanes = SDL_ReadLE16(src); //0x23\n \t\tbiBitCount = SDL_ReadLE16(src); //0x25\n \t\tbiCompression = SDL_ReadLE32(src);\n \t\tbiSizeImage = SDL_ReadLE32(src);\n \t\tbiXPelsPerMeter = SDL_ReadLE32(src); //0x2e\n \t\tbiYPelsPerMeter = SDL_ReadLE32(src); //0x32\n \t\tbiClrUsed = SDL_ReadLE32(src); //0x36 [1]\n \t\tbiClrImportant = SDL_ReadLE32(src); //0x3a\n \n\nAt [1], the biClrUsed field is read in as an unsigned 32-bit integer. After this, the variable is never mentioned again, at least until it is used to populate the palette array as such:\n \n \n if (biBitCount <= 8) {\n \tif (biClrUsed == 0) {\n \t\tbiClrUsed = 1 << biBitCount;\n \t\t}\n \t\tfor (i = 0; i < (int) biClrUsed; ++i) { //[1] \n \t\tSDL_RWread(src, &palette[i], 4, 1);\n \t\t }\n \n\nSince there isn\u2019t any validation on the \u201cbiClrUsed\u201d field at all, the result is a stack based buffer overflow completely under control of an attacker.\n\n### Crash Information\n \n \n $rax : 0x019c3c51016b173b -> 0x019c3c51016b173b\n $rbx : 0x0000000000000000 -> 0x0000000000000000\n $rcx : 0x0000000001e28b77 -> 0x0000000001e28b77\n $rdx : 0x0000000000000004 -> 0x0000000000000004\n $rsp : 0x00007ffe43fe6810 -> 0x0000000100000000 -> 0x0000000100000000\n $rbp : 0x00007ffe43fe6cd0 -> 0x00007ffe43fe6cf0 -> 0x00007ffe43fe6d30 -> 0x00007ffe43fe6d60 -> 0x00007ffe43fe6da0 -> \n 0x0000000000000000 \n -> 0x0000000000000000\n $rsi : 0x0000000002735c60 -> 0x0000000000000000 -> 0x0000000000000000\n $rdi : 0x00007ffe43fe6cc0 -> 0x0000000000000000 -> 0x0000000000000000\n rip : 0x00007f8c982f6105 -> <LoadICOCUR_RW+1197> mov rdx, QWORD PTR [rax+0x20]\n $r8 : 0x0000000002735c60 -> 0x0000000000000000 -> 0x0000000000000000\n $r9 : 0x00007ffe43fe6cbc -> 0x0000000001e28b78 -> 0x0000000001e28b78\n $r10 : 0x0000000000ff0000 -> 0x0000000000ff0000\n $r11 : 0x00007f8c9856d5ce -> 0x20ec8348e5894855 -> 0x20ec8348e5894855\n $r12 : 0x0000000000400a10 -> <_start+0> xor ebp, ebp\n $r13 : 0x00007ffe43fe6e80 -> 0x0000000000000002 -> 0x0000000000000002\n $r14 : 0x0000000000000000 -> 0x0000000000000000\n $r15 : 0x0000000000000000 -> 0x0000000000000000\n $eflags: [CARRY parity adjust zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]\n ---------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------[ stack ]----\n 0x00007ffe43fe6810|+0x00: 0x0000000100000000 -> 0x0000000100000000 <-$rsp\n 0x00007ffe43fe6818|+0x08: 0x0000000002756200 -> 0x00007f8c98578e48 -> 0x20ec8348e5894855 -> 0x20ec8348e5894855\n 0x00007ffe43fe6820|+0x10: 0x000000000000000b -> 0x000000000000000b\n 0x00007ffe43fe6828|+0x18: 0x0000068800000000 -> 0x0000068800000000\n 0x00007ffe43fe6830|+0x20: 0x01c2989401703453 -> 0x01c2989401703453\n 0x00007ffe43fe6838|+0x28: 0x01dd8e7701df886f -> 0x01dd8e7701df886f\n 0x00007ffe43fe6840|+0x30: 0x0163234e015e1b45 -> 0x0163234e015e1b45\n 0x00007ffe43fe6848|+0x38: 0x01753b6b01692b59 -> 0x01753b6b01692b59\n -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ code:i386:x86-64 ]----\n 0x7f8c982f60f4 <LoadICOCUR_RW+1180> rol BYTE PTR [rbx-0x74fe13bb], 1\n 0x7f8c982f60fa <LoadICOCUR_RW+1186> rex.RB (bad)\n 0x7f8c982f60fc <LoadICOCUR_RW+1188> cmp eax, DWORD PTR [rbp-0x14]\n 0x7f8c982f60ff <LoadICOCUR_RW+1191> jg 0x7f8c982f60c2 <LoadICOCUR_RW+1130>\n 0x7f8c982f6101 <LoadICOCUR_RW+1193> mov rax, QWORD PTR [rbp-0x20]\n ->0x7f8c982f6105 <LoadICOCUR_RW+1197> mov rdx, QWORD PTR [rax+0x20]\n 0x7f8c982f6109 <LoadICOCUR_RW+1201> mov rax, QWORD PTR [rbp-0x20]\n 0x7f8c982f610d <LoadICOCUR_RW+1205> mov ecx, DWORD PTR [rax+0x14]\n 0x7f8c982f6110 <LoadICOCUR_RW+1208> mov rax, QWORD PTR [rbp-0x20]\n 0x7f8c982f6114 <LoadICOCUR_RW+1212> mov eax, DWORD PTR [rax+0x18]\n 0x7f8c982f6117 <LoadICOCUR_RW+1215> imul eax, ecx\n ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ source:IMG_bmp.c+761 ]----\n 757 }\n 758 }\n 759 \n 760 /* Read the surface pixels. Note that the bmp image is upside down */\n // surface=0x00007ffe43fe6cb0 -> [...] -> 0x019c3c51016b173b, bits=0x00007ffe43fe6ca8 -> [...] -> 0x01e4b28b01f7d1a1\n -> 761 bits = (Uint8 *) surface->pixels + (surface->h * surface->pitch); //points immediately after 0x1000 buffer\n 762 switch (ExpandBMP) {\n 763 case 1:\n 764 bmpPitch = (biWidth + 7) >> 3;\n 765 pad = (((bmpPitch) % 4) ? (4 - ((bmpPitch) % 4)) : 0);\n ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ threads ]----\n [#0] Id 1, Name: \"\", stopped, reason: SIGSEGV\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[ trace ]----\n [#0] 0x7f8c982f6105->Name: LoadICOCUR_RW(src=0x2756200, type=0x1, freesrc=0x0)\n [#1] 0x7f8c982f6651->Name: IMG_LoadICO_RW(src=0x2756200)\n [#2] 0x7f8c982f47ef->Name: IMG_LoadTyped_RW(src=0x2756200, freesrc=0x1, type=0x7ffe43fe8459 \"/<(^_^)>\")\n [#3] 0x7f8c982f45e0->Name: IMG_Load(file=0x7ffe43fe8458 \"./<(^_^)>\")\n [#4] 0x400b85->Name: main(argc=0x2, argv=0x7ffe43fe6e88)\n -----------------------------------------------------------------------------------------------------------------------------------------\n \n\n### Timeline\n\n2017-11-28 - Vendor Disclosure \n2018-03-01 - Public Release\n\n##### Credit\n\nDiscovered by Yves Younan and Lilith of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0497\n\nPrevious Report\n\nTALOS-2017-0490\n", "edition": 7, "modified": "2018-03-01T00:00:00", "published": "2018-03-01T00:00:00", "id": "TALOS-2017-0491", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0491", "title": "Simple DirectMedia Layer SDL2_image Image Palette Population Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:28", "bulletinFamily": "info", "cvelist": ["CVE-2017-12122"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0488\n\n## Simple DirectMedia Layer SDL2_Image IMG_LoadLBM_RW Code Execution Vulnerability\n\n##### March 1, 2018\n\n##### CVE Number\n\nCVE-2017-12122 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-122: Heap-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen LibSDL2_Image reads in an image, if the image contains the \u201cFORM\u201d string at offset 0x4, and the \u201cPBM\u201d or \u201cILBM\u201d strings at offset 0x8, then the file is considered a ILBM (Interleaved Bitmap) file, and parsed accordingly. LIBSDL2_Image first looks for the Bitmap Headers of the file, and then reads the values into a BMHD structure. This looks like such:\n \n \n 00000000 46 4F 52 4D 00 02 6E 98 49 4C 42 4D 42 4D 48 44 00 00 00 14 FORM..n.ILBMBMHD....\n 00000014 02 00 02 00 00 00 00 00 15 00 01 00 00 00 0A 0A 02 00 02 00 \n \n\nThe above 0x28 bytes of a ILBM file will result in a bmhd structure (size 0x14) as such: type = struct { Uint16 w; Uint16 h; Sint16 x; Sint16 y; Uint8 planes; Uint8 mask; Uint8 tcomp; Uint8 pad1; Uint16 tcolor; Uint8 xAspect; Uint8 yAspect; Sint16 Lpage; Sint16 Hpage;\n \n \n <(^_^)> print bmhd\n $1 = {\n \tUint16 w = 0x200, \n \tUint16 h = 0x200, \n \tSint16 x = 0x0, \n \tSint16 y = 0x0, \n \tUint8 planes = 0x15, \n \tUint8 mask = 0x0, \n \tUint8 tcomp = 0x1, \n \tUint8 pad1 = 0x0, \n \tUint16 tcolor = 0x0, \n \tUint8 xAspect = 0xa, \n \tUint8 yAspect = 0xa, \n \tSint16 Lpage = 0x200, \n \tSint16 Hpage = 0x200\n }\n \n\nWith the input essentially being a direct read from the file into the structure. After this read has been performed, LibSDL2_Image will create an RGBSurface to store the data. This RGBSurface is the universal object for storing image data from any given image format. It is during the IMG_Load_RW functions that the data is converted correctly from the given to the RGBSurface type, which is given as follows:\n \n \n type = struct SDL_Surface {\n Uint32 flags;\n SDL_PixelFormat *format;\n int w;\n int h;\n int pitch;\n void *pixels;\n void *userdata;\n int locked;\n void *lock_data;\n SDL_Rect clip_rect;\n struct SDL_BlitMap *map;\n int refcount;\n } *\n \n\nWhich is created by the following line of code, converting from bmhd to SDL_Surface:\n \n \n if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )\n \n\nDuring runtime of the crash, this ends up looking like:\n \n \n SDL_CreateRGBSurface_REAL(flags=0x0, width=0x200, height=0x200, depth=0x8, Rmask=0x0, Gmask=0x0, Bmask=0x0, Amask=0x0)\n \n\nThe SDL_Pixelformat member of the SDL_Surface is what contains the actual RGB data, and this is stored inside of the SDL_Palette *palette member of the SDL_Surface, which is defined as such:\n \n \n type = struct SDL_Palette {\n \tint ncolors;\n \tSDL_Color *colors;\n \tUint32 version;\n \tint refcount;\n } *\n \n\nThe SDL_Color *color array contains the raw bit data, and is allocated by the following line:\n \n \n palette->colors =\n \t(SDL_Color *) SDL_malloc(ncolors * sizeof(*palette->colors));\n \n\nThe size of a given SDL_Color struct is 0x4, and ncolors is passed as a parameter to the SDL_AllocPalette function, and is given by (1\u00ab0x8 == 0x100):\n \n \n //SDL_AllocPalette(int ncolors) \n SDL_AllocPalette((1 << surface->format->BitsPerPixel));\n \n\nThe BitsPerPixel field is taken from the depth parameter passed into SDL_CreateRGBSurface, so the resulting SDL_malloc is (0x4 * (1\u00ab0x8)), or 0x400.\n\nInterestingly, when the data is actually taken from the file and thrown into the heap data of size 0x400, the following loop occurs:\n \n \n for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ ){\n \tImage->format->palette->colors[i].r = Image->format->palette->colors[i%nbcolors].r;\n \tImage->format->palette->colors[i].g = Image->format->palette->colors[i%nbcolors].g;\n Image->format->palette->colors[i].b = Image->format->palette->colors[i%nbcolors].b;\n }\n \n\nThe nbrcolorsfinal variable is populated with the following code:\n \n \n int nbrcolorsfinal = 1 << (nbplanes + stencil);\n [...]\n if ( nbrcolorsfinal > (1<<bmhd.planes) ) {\n \tnbrcolorsfinal = (1<<bmhd.planes);\n }\n [...]\n \n\nThe assumption is that the bmhd.planes (which is 0x15 in our structure) corresponds exactly with the depth parameter passed to SDL_CreateRGBSurface_REAL, such that the structure has enough space allocated to store the raw rgb data, however this assumption is not true for all bhmd.plane values:\n \n \n if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )\n \n\nIt is only true if the Uint8 planes field is equal to 24 or is less than 8 (assuming the flagHAM flag is not set), providing another value results in a constrained heap overflow of user controlled data during the color population loop that was previously listed.\n\n### Crash Information\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x00007f666bcc642a in IMG_LoadLBM_RW (src=0x16cfa30) at IMG_lbm.c:294\n 294 Image->format->palette->colors[i].r = Image->format->palette->colors[i%nbcolors].r;\n --------------------------------------------------------------------------[ registers ]----\n $rax : 0x000000000000009a -> 0x000000000000009a\n $rbx : 0x0000000000000000 -> 0x0000000000000000\n $rcx : 0x000000000177f000 -> 0x000000000177f000\n $rdx : 0x0000000000000010 -> 0x0000000000000010\n $rsp : 0x00007ffd79443ab0 -> 0x0000000200000000 -> 0x0000000200000000\n $rbp : 0x00007ffd79443e90 -> 0x00007ffd79443ed0 -> 0x00007ffd79443f00 -> 0x00007ffd79443f40 -> 0x0000000000000000 -> \n 0x0000000000000000\n $rsi : 0x00000000016f6fc0 -> 0xff5d69dbff96b6eb\n $rdi : 0x00007f666c26d540 -> 0x0000000000000030 -> 0x0000000000000030\n $rip : 0x00007f666bcc642a -> <IMG_LoadLBM_RW+2336> mov BYTE PTR [rcx], al\n $r8 : 0x00000000016e98c0 -> 0x0000000000000000 -> 0x0000000000000000\n $r9 : 0x00007ffd79443978 -> 0x00007f666bf95c7d -> 0x4855c3c9f8458b48 -> 0x4855c3c9f8458b48\n $eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]\n ------------------------------------------------------------------------------[ stack ]----\n 0x00007ffd79443ab0|+0x00: 0x0000000200000000 -> 0x0000000200000000 <-$rsp\n 0x00007ffd79443ab8|+0x08: 0x00000000016cfa30 -> 0x00007f666bf45e48 -> 0x20ec8348e5894855 -> 0x20ec8348e5894855\n 0x00007ffd79443ac0|+0x10: 0x0000000000000000 -> 0x0000000000000000\n 0x00007ffd79443ac8|+0x18: 0x000000000171e658 -> 0x007171be665549ae -> 0x007171be665549ae\n 0x00007ffd79443ad0|+0x20: 0x0000000002000200 -> 0x0000000002000200\n 0x00007ffd79443ad8|+0x28: 0x0a0a000000010015 -> 0x0a0a000000010015\n 0x00007ffd79443ae0|+0x30: 0x3300000002000200 -> 0x3300000002000200\n 0x00007ffd79443ae8|+0x38: 0x00007ffd00026e08 -> 0x00007ffd00026e08\n -------------------------------------------------------------------[ code:i386:x86-64 ]----\n 0x7f666bcc641c <IMG_LoadLBM_RW+2322> mov eax, edx\n 0x7f666bcc641e <IMG_LoadLBM_RW+2324> mov eax, eax\n 0x7f666bcc6420 <IMG_LoadLBM_RW+2326> shl rax, 0x2\n 0x7f666bcc6424 <IMG_LoadLBM_RW+2330> add rax, rsi\n 0x7f666bcc6427 <IMG_LoadLBM_RW+2333> movzx eax, BYTE PTR [rax]\n ->0x7f666bcc642a <IMG_LoadLBM_RW+2336> mov BYTE PTR [rcx], al\n 0x7f666bcc642c <IMG_LoadLBM_RW+2338> mov rax, QWORD PTR [rbp-0x8]\n 0x7f666bcc6430 <IMG_LoadLBM_RW+2342> mov rax, QWORD PTR [rax+0x8]\n 0x7f666bcc6434 <IMG_LoadLBM_RW+2346> mov rax, QWORD PTR [rax+0x8]\n 0x7f666bcc6438 <IMG_LoadLBM_RW+2350> mov rax, QWORD PTR [rax+0x8]\n 0x7f666bcc643c <IMG_LoadLBM_RW+2354> mov edx, DWORD PTR [rbp-0x30]\n ---------------------------------------------------------------[ source:IMG_lbm.c+294 ]----\n 290 nbrcolorsfinal = (1<<bmhd.planes);\n 291 }\n 292 for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )\n 293 {\n // Image=0x00007ffd79443e88 -> [...] -> 0x0000000000000000\n -> 294 Image->format->palette->colors[i].r = Image->format->palette->colors[i%nbcolors].r;\n 295 Image->format->palette->colors[i].g = Image->format->palette->colors[i%nbcolors].g;\n 296 Image->format->palette->colors[i].b = Image->format->palette->colors[i%nbcolors].b;\n 297 }\n 298 if ( !pbm )\n ----------------------------------------------------------------------------[ threads ]----\n [#0] Id 1, Name: \"\", stopped, reason: SIGSEGV\n ------------------------------------------------------------------------------[ trace ]----\n [#0] 0x7f666bcc642a->Name: IMG_LoadLBM_RW(src=0x16cfa30)\n [#1] 0x7f666bcc17ef->Name: IMG_LoadTyped_RW(src=0x16cfa30, freesrc=0x1, type=0x7ffd79444441 \"<(-_-)>/asdf\")\n [#2] 0x7f666bcc15e0->Name: IMG_Load(file=0x7ffd79444440 \"<(-_-)>/asdf\")\n [#3] 0x400b85->Name: main(argc=0x2, argv=0x7ffd79444028)\n \n\n### Timeline\n\n2017-11-28 - Vendor Disclosure \n2018-03-01 - Public Release\n\n##### Credit\n\nDiscovered by Lilith &lt;(x_x)&gt; of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0490\n\nPrevious Report\n\nTALOS-2017-0486\n", "edition": 8, "modified": "2018-03-01T00:00:00", "published": "2018-03-01T00:00:00", "id": "TALOS-2017-0488", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0488", "title": "Simple DirectMedia Layer SDL2_Image IMG_LoadLBM_RW Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:28", "bulletinFamily": "info", "cvelist": ["CVE-2017-2887"], "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0394\n\n## Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability\n\n##### October 10, 2017\n\n##### CVE Number\n\nCVE-2017-2887 \n\n### Summary\n\nAn exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL_image 2.0.1\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nSDL_image is a library that handles image loading for the Simple DirectMedia Layer (SDL) library. SDL is a cross-platform library that is designed to provide low-level access to various hardware using OpenGL and Direct3D. The various users of the library include games, video playback software (including VLC), and emulators.\n\nA vulnerability exits in the SDL_image library\u2019s handling of XCF images. When an XCF image is read, its properties will be read from the file and used directly in a read operation, potentially resulting in a stack-based buffer overflow. This problem occurs in the read_xcf_property function of the IMG_xcf.c file:\n \n \n 253 static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {\n 254\t\tprop->id = SDL_ReadBE32 (src);\n 255\t\tprop->length = SDL_ReadBE32 (src); ...\n 261\t switch (prop->id) {\n ...\n 275\t\tcase PROP_COMPRESSION:\n 276\t\tcase PROP_COLOR:\n 277\t\t\tSDL_RWread (src, &prop->data, prop->length, 1);\n 278\t\t\tbreak; ...\n \n\nAt line 254, it will read the id of the property from the file and then at line 255, it will read the length of the property. This length will then be used at line 277 to copy data from `src` into `prop->data` which is 24 bytes in length, causing a buffer overflow if the length provided in the file is larger than 24.\n\n### Mitigation\n\nAdding a check to ensure that prop-&gt;length &lt;= sizeof(prop-&gt;data) would fix the issue: \u2014 IMG_xcf.c.orig 2017-07-28 10:39:49.983264935 -0700 +++ IMG_xcf.c 2017-07-28 10:43:42.664540348 -0700 @@ -251,6 +251,7 @@\n \n \n static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {\n + unsigned int len;\n prop->id = SDL_ReadBE32 (src);\n prop->length = SDL_ReadBE32 (src); \n \n @@ -274,7 +275,11 @@\n break;\n case PROP_COMPRESSION:\n case PROP_COLOR:\n - SDL_RWread (src, &prop->data, prop->length, 1);\n + if (prop->length>sizeof(prop->data))\n +\tlen = sizeof(prop->data);\n + else\n +\tlen = prop->length;\n + SDL_RWread (src, &prop->data, len, 1);\n break;\n case PROP_VISIBLE:\n prop->data.visible = SDL_ReadBE32 (src);\n \n\n### Timeline\n\n2017-10-06 - Vendor Disclosure \n2017-10-10 - Public Release\n\n##### Credit\n\nDiscovered by Yves Younan of Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0395\n\nPrevious Report\n\nTALOS-2017-0387\n", "edition": 6, "modified": "2017-10-10T00:00:00", "published": "2017-10-10T00:00:00", "id": "TALOS-2017-0394", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0394", "title": "Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:07", "bulletinFamily": "info", "cvelist": ["CVE-2018-3839"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0521\n\n## Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle bpp Code Execution Vulnerability\n\n##### April 10, 2018\n\n##### CVE Number\n\nCVE-2018-3839 \n\n### Summary\n\nAn exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n6.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0\n\n### CWE\n\nCWE-122: Heap-based Buffer Overflow\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen parsing and storing an XCF file (the native file type for Gimp), the LibSDL2 library implements a custom RLE inflater for the compressed XCF data. The code that handles this is listed below:\n \n \n //IMG_xcf.c\n static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, int x, int y) \n \tunsigned char * load, * t, * data, * d;\n \tUint32 reallen;\n \t\tint i, size, count, j, length;\n \t\tunsigned char val;\n \n\nt = load = (unsigned char *) SDL_malloc (len); reallen = SDL_RWread (src, t, 1, len); \n \n \n \tdata = (unsigned char *) SDL_malloc (x*y*bpp); \n \t[...]\n \n\nFrom the above, it should be noted that the `bpp`,`x`, and `y` parameters are all under the file\u2019s control, along with the `len` field. The `bpp` parameter in particular is taken from the `xcf_hierarchy` struct.\n \n \n typedef struct {\n Uint32 cwidth;\n Uint32 height;\n Uint32 bpp;\n \n Uint32 * level_file_offsets;\n } xcf_hierarchy;\n \n\nThis structure has it\u2019s fields populated directly from the XCF image file being rendered as such:\n\nstatic xcf_hierarchy * read_xcf_hierarchy (SDL_RWops * src) { xcf_hierarchy * h; int i; h = (xcf_hierarchy *) SDL_malloc (sizeof (xcf_hierarchy)); h-&gt;width = SDL_ReadBE32 (src); h-&gt;height = SDL_ReadBE32 (src); h-&gt;bpp = SDL_ReadBE32 (src); \n\nThus, we know that the `bpp` variable can be anything from 0x0 to 0xffffffff, so going back to the load_xcf_tile_rle function, an issue quickly arises:\n \n \n static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, int x, int y) \n \tunsigned char * load, * t, * data, * d;\n \tUint32 reallen;\n \t\tint i, size, count, j, length;\n \t\tunsigned char val;\n \n\nt = load = (unsigned char *) SDL_malloc (len); reallen = SDL_RWread (src, t, 1, len); \n \n \n \tdata = (unsigned char *) SDL_malloc (x*y*bpp); //[1]\n \tfor (i = 0; i < bpp; i++) { //[2]\n \t[...]\n \n\nSince x, y, and bpp are all of integers, when all multiplied at [1], the resulting value passed into SDL_malloc is also of type integer. As noted before, since bpp can be 0x0-0xffffffff, this results in an integer overflow for a high enough value of `bpp`, causing the value passed into SDL_malloc to be less than bpp itself. This causes the subsequent usages of `bpp` to be outside the bounds of the allocated buffer and possible memory corruption. Due to line [2], bpp does have some bounds, such that (bpp &lt; 0) =&gt; causes the corruption loop to skip. The tricky part with this bug is how much one could actually get away with corrupting as the writes in memory occur with the following code:\n\nwhile (length\u2013 &gt; 0) { \n \n \n \t\t*d = *t++; //[1]\n \t\td += bpp; //[2]\n \t}\n \n\nSo while it is technically a controlled write, since we control the value of `t` at [1], remember that bpp must be rather large, and also cannot be negative. Thus, when the destination pointer `d` is incremented by bpp at [2], the odds of hitting unmapped memory increase exponentially for each loop iteration. On a 32-bit machine, the probability of successful exploitation with this bug would increase tremendously though as the pointer `d` would wrap around a lot faster, leaving less chance for segfaulting due to unmapped memory access.\n\n### Crash Information\n\n(Note: Compiled with ASAN)\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x00007fe914baf213 in load_xcf_tile_rle (src=0x60700000dfb0, len=0x309b, bpp=0x40000003, x=0x40, y=0x40) at IMG_xcf.c:527\n warning: Source file is more recent than executable.\n 527 val = *t++; //pull next byte for value to write.\n -----------------------------------------------------[ registers ]----\n $rax : 0x0000627040015103 -> 0x0000000000000000 -> 0x0000000000000000\n $rbx : 0x00007ffcb1150ba0 -> 0x00007ffcb1152462 -> 0x643530342f464358 -> 0x643530342f464358 (\"XCF/405d\"?)\n $rdx : 0x00000000000000e2 -> 0x00000000000000e2\n $rsp : 0x00007ffcb1150840 -> 0x00007ffcb11508b0 -> 0x00007ffcb1150960 -> 0x00007ffcb1150a20 -> 0x00007ffcb1150a60 -> \n 0x00007ffcb1150a90 -> 0x0000000000000002 -> 0x0000000000000002\n $rbp : 0x00007ffcb11508b0 -> 0x00007ffcb1150960 -> 0x00007ffcb1150a20 -> 0x00007ffcb1150a60 -> 0x00007ffcb1150a90 -> \n 0x0000000000000002 -> 0x0000000000000002\n $rsi : 0x0000000000000013 -> 0x0000000000000013\n $rdi : 0x00007fe915139540 -> 0x0000000000000014 -> 0x0000000000000014\n $rip : 0x00007fe914baf213 -> 0x489848a0458b1088 -> 0x489848a0458b1088\n $r8 : 0x0000000000000008 -> 0x0000000000000008\n $r9 : 0x0000000000000000 -> 0x0000000000000000\n $r10 : 0x0000000000000000 -> 0x0000000000000000\n $r11 : 0x0000000000000008 -> 0x0000000000000008\n $r12 : 0x00000000004bd3e4 -> <_start+0> xor ebp, ebp\n $r13 : 0x00007ffcb1150b90 -> 0x0000000000000002 -> 0x0000000000000002\n $r14 : 0xfffffffffffffff8 -> 0xfffffffffffffff8\n $r15 : 0x0000000000000000 -> 0x0000000000000000\n $eflags: [CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]\n ---------------------------------------------------------[ stack ]----\n 0x00007ffcb1150840|+0x00: 0x00007ffcb11508b0 -> 0x00007ffcb1150960 -> 0x00007ffcb1150a20 -> 0x00007ffcb1150a60 -> \n 0x00007ffcb1150a90 -> 0x0000000000000002 -> 0x0000000000000002 <- \n $rsp\n 0x00007ffcb1150848|+0x08: 0x0000004000000040 -> 0x0000000000000000 -> 0x0000000000000000\n 0x00007ffcb1150850|+0x10: 0x0000309b40000003 -> 0x0000309b40000003\n 0x00007ffcb1150858|+0x18: 0x000060700000dfb0 -> 0x00007fe914e11e48 -> 0x20ec8348e5894855 -> 0x20ec8348e5894855\n 0x00007ffcb1150860|+0x20: 0x0000000000000000 -> 0x0000000000000000\n 0x00007ffcb1150868|+0x28: 0xe2007fe913d1197d\n 0x00007ffcb1150870|+0x30: 0x0000627000015100 -> 0xbebebebebebebee2\n 0x00007ffcb1150878|+0x38: 0x0000309b14e11f03 -> 0x0000309b14e11f03\n ----------------------------------------------[ code:i386:x86-64 ]----\n 0x7fe914baf1ff <load_xcf_tile_rle+384> mov BYTE PTR [rbp-0x41], al\n 0x7fe914baf202 <load_xcf_tile_rle+387> mov DWORD PTR [rbp-0x20], 0x0\n 0x7fe914baf209 <load_xcf_tile_rle+394> jmp 0x7fe914baf222 <load_xcf_tile_rle+419>\n 0x7fe914baf20b <load_xcf_tile_rle+396> mov rax, QWORD PTR [rbp-0x10]\n 0x7fe914baf20f <load_xcf_tile_rle+400> movzx edx, BYTE PTR [rbp-0x41]\n ->0x7fe914baf213 <load_xcf_tile_rle+404> mov BYTE PTR [rax], dl\n 0x7fe914baf215 <load_xcf_tile_rle+406> mov eax, DWORD PTR [rbp-0x60]\n 0x7fe914baf218 <load_xcf_tile_rle+409> cdqe \n 0x7fe914baf21a <load_xcf_tile_rle+411> add QWORD PTR [rbp-0x10], rax\n 0x7fe914baf21e <load_xcf_tile_rle+415> add DWORD PTR [rbp-0x20], 0x1\n 0x7fe914baf222 <load_xcf_tile_rle+419> mov eax, DWORD PTR [rbp-0x20]\n ------------------------------------------[ source:IMG_xcf.c+527 ]----\n 523 \n 524 count += length; //count var unused, lol\n 525 size -= length;\n 526 \n // t=0x00007ffcb11508a8 -> [...] -> 0xe3e3e4f6e201df01, val=0xe2L\n -> 527 val = *t++; //pull next byte for value to write.\n 528 \n 529 for (j = 0; j < length; j++) { //Write pixel-consecutive bytes.\n 530 *d = val; // oob write here... 405d\n 531 d += bpp;\n -------------------------------------------------------[ threads ]----\n [#0] Id 1, Name: \"\", stopped, reason: SIGSEGV\n ---------------------------------------------------------[ trace ]----\n [#0] 0x7fe914baf213->Name: load_xcf_tile_rle(src=0x60700000dfb0, len=0x309b, bpp=0x40000003, x=0x40, y=0x40)\n [#1] 0x7fe914baf55d->Name: do_layer_surface(surface=0x60800000be20, src=0x60700000dfb0, head=0x60700000df40, layer=0x60600000eea0, \n load_tile=0x7fe914baf07f <load_xcf_tile_rle>)\n [#2] 0x7fe914bafe24->Name: IMG_LoadXCF_RW(src=0x60700000dfb0)\n [#3] 0x7fe914b8d7ef->Name: IMG_LoadTyped_RW(src=0x60700000dfb0, freesrc=0x1, type=0x0)\n [#4] 0x7fe914b8d5e0->Name: IMG_Load(file=0x7ffcb1152462 \"boop\")\n [#5] 0x4bd553->Name: main(argc=<optimized out>, argv=<optimized out>)\n ----------------------------------------------------------------------\n \n\n### Timeline\n\n2018-02-06 - Vendor Disclosure \n2018-02-07 - Vendor Patched \n2018-04-10 - Public Release\n\n##### Credit\n\nDiscovered by Lilith of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0550\n\nPrevious Report\n\nTALOS-2018-0520\n", "edition": 7, "modified": "2018-04-10T00:00:00", "published": "2018-04-10T00:00:00", "id": "TALOS-2018-0521", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521", "title": "Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle bpp Code Execution Vulnerability", "type": "talos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:13", "bulletinFamily": "info", "cvelist": ["CVE-2018-3838"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0520\n\n## Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle Information Disclosure Vulnerability\n\n##### April 10, 2018\n\n##### CVE Number\n\nCVE-2018-3838 \n\n### Summary\n\nAn exploitable information vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n5.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\n\n### CWE\n\nCWE-126: Buffer Over-read\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen parsing and storing an XCF file (the native file type for Gimp), the LibSDL2 library implements a custom RLE inflater for the compressed XCF data. The code that handles this is listed below:\n \n \n //IMG_xcf.c\n static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, int x, int y) \n \tunsigned char * load, * t, * data, * d;\n \tUint32 reallen;\n \t\tint i, size, count, j, length;\n \t\tunsigned char val;\n \n\nt = load = (unsigned char *) SDL_malloc (len); //[1] reallen = SDL_RWread (src, t, 1, len); //[2] \n \n \n \tdata = (unsigned char *) SDL_malloc (x*y*bpp); //[3]\n \t[...]\n \n\nFrom the above, it should be noted that the `bpp`,`x`, and `y` parameters are all under the file\u2019s control, along with the `len` field, which is derived from the calling function as such:\n \n \n do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_layer * layer, load_tile_type load_tile) {\n \n \tSDL_RWseek(src, layer->hierarchy_file_offset, RW_SEEK_SET); \n \t \thierarchy = read_xcf_hierarchy(src); // [1]\n \t\tlevel = NULL;\n \t\tfor (i = 0; hierarchy->level_file_offsets[i]; i++) {\n \t\t\tSDL_RWseek(src, hierarchy->level_file_offsets[i], RW_SEEK_SET);\n \t\t\tlevel = read_xcf_level(src); //[2]\n \n \t\t\tty = tx = 0;\n \t\t\tfor (j = 0; level->tile_file_offsets[j]; j++) {\n \t\t\t\tSDL_RWseek(src, level->tile_file_offsets[j], RW_SEEK_SET);\n \t\t\t[...]\n \n \t\t\tif (level->tile_file_offsets[j + 1]) { \n \t\t\ttile = load_tile(src, level->tile_file_offsets[j + 1] - level->tile_file_offsets[j], hierarchy->bpp, ox, oy); // [3] \n \t\t\t} else { \n \t\t\t\t tile = load_tile(src, ox * oy * 6, hierarchy->bpp, ox, oy);\n \t\t\t}\n [...]\n \n\nTo sum up the above, each XCF surface can have multiple layers, and these layers have a hierarchy, which is read in at [1] and dictates the order in which the image layers are rendered. Then, each layer has a set of tiles (which are just blocks of image data), which must be read in first before rendering. These tiles can be different sizes, so an array of file offsets are read in at [2], such that the parsing can be done correctly. After this, the library loops over the tile offsets, and seeks for the tile data in the file, reading the tile data at [3]. \u2018load_tile\u2019 is a function pointer to the load_xcf_tile_rle function that we were at before. Of most note for this bug, is the fact that the \u2018len\u2019 parameter from the load_xcf_tile_rle function is calculated from `level->tile_file_offsets[j + 1] \u2013 level->tile_file_offsets[j]`, as long as level-&gt;tile_file_offsets[j+1] is != 0.\n\nThus, if we make our XCF file have two consecutive tile_file_offsets that are equivalent, our call to load_xcf_tile_rle becomes load_xcf_tile_rle(src,0,hierarchy-&gt;bpp,ox,oy). This causes issues further down inside load_xcf_tile_rle as we end up doing a call to malloc(0) for our source buffer:\n \n \n static unsigned char * load_xcf_tile_rle (SDL_RWops * src, Uint32 len, int bpp, int x, int y) \t{\n \tunsigned char * load, * t, * data, * d;\n \tUint32 reallen;\n \tint i, size, count, j, length;\n \tunsigned char val;\n \n\nt = load = (unsigned char *) SDL_malloc (len); // [1] \n\nSince SDL_malloc is a simple wrapper around normal malloc, this depends on the specific implementation of malloc for the system, but at least on Debian Linux, m0560874168f86c7aeeee2edcf2cea202alloc(0) returns a valid buffer of the minimum chunk size possible for the given architecture, which is usually 16 bytes on a 64 byte system. But regardless of the exact byte count, the amount of bytes read in from this malloc(0) buffer for data is going to be far greater for any image of reasonable size, as the destination buffer\u2019s size is x_y_bpp. This results in a large user-controlled amount of data being read from the heap and populated into the XCF tile for further processing, creating an out of bounds read.\n\n### Crash Information\n\n(Note: Compiled with ASAN)\n \n \n Program received signal SIGSEGV, Segmentation fault.\n 0x00007f692455e127 in load_xcf_tile_rle (src=0x60700000dfb0, len=0x0, bpp=0x3, x=0x40, y=0x40) at IMG_xcf.c:496\n warning: Source file is more recent than executable.\n 496\n -------------------------------------------------------------------------[ registers ]----\n $rax : 0x0000602000010000 -> 0x0000000000000000 -> 0x0000000000000000\n $rbx : 0x00007ffd66fd8c30 -> 0x00007ffd66fda37f -> 0x3134373830363530 -> 0x3134373830363530 (\"05608741\"?)\n $rcx : 0x22ffffff00000000 -> 0x22ffffff00000000\n $rdx : 0x0000602000010001 -> 0x0000000000000000 -> 0x0000000000000000\n $rsp : 0x00007ffd66fd88d0 -> 0x00007ffd66fd8940 -> 0x00007ffd66fd89f0 -> 0x00007ffd66fd8ab0 -> 0x00007ffd66fd8af0 -> 0x00007ffd66fd8b20 \n -> 0x0000000000000002 -> \n 0x0000000000000002\n $rbp : 0x00007ffd66fd8940 -> 0x00007ffd66fd89f0 -> 0x00007ffd66fd8ab0 -> 0x00007ffd66fd8af0 -> 0x00007ffd66fd8b20 -> \n 0x0000000000000002 -> 0x0000000000000002\n $rsi : 0x0000000000000013 -> 0x0000000000000013\n $rdi : 0x00007f6924ae8540 -> 0x0000000000000014 -> 0x0000000000000014\n $rip : 0x00007f692455e127 -> <load_xcf_tile_rle+168> movzx eax, BYTE PTR [rax]\n $r8 : 0x0000000000000000 -> 0x0000000000000000\n $r9 : 0x000000000000001e -> 0x000000000000001e\n $r10 : 0x00000000004bd553 -> 0x6349643375c08548 -> 0x6349643375c08548\n $r11 : 0x0000000000000008 -> 0x0000000000000008\n $r12 : 0x00000000004bd3e4 -> <_start+0> xor ebp, ebp\n $r13 : 0x00007ffd66fd8c20 -> 0x0000000000000002 -> 0x0000000000000002\n $r14 : 0xfffffffffffffff8 -> 0xfffffffffffffff8\n $r15 : 0x0000000000000000 -> 0x0000000000000000\n $eflags: [carry PARITY adjust zero sign trap INTERRUPT direction overflow RESUME virtualx86 identification]\n -----------------------------------------------------------------------------[ stack ]----\n 0x00007ffd66fd88d0|+0x00: 0x00007ffd66fd8940 -> 0x00007ffd66fd89f0 -> 0x00007ffd66fd8ab0 -> 0x00007ffd66fd8af0 -> 0x00007ffd66fd8b20 -> \n 0x0000000000000002 -> 0x0000000000000002 \n <-$rsp\n 0x00007ffd66fd88d8|+0x08: 0x0000004000000040 -> 0x0000000000000000 -> 0x0000000000000000\n 0x00007ffd66fd88e0|+0x10: 0x0000000000000003 -> 0x0000000000000003\n 0x00007ffd66fd88e8|+0x18: 0x000060700000dfb0 -> 0x00007f69247c0e48 -> 0x20ec8348e5894855 -> 0x20ec8348e5894855\n 0x00007ffd66fd88f0|+0x20: 0x0000000000000000 -> 0x0000000000000000\n 0x00007ffd66fd88f8|+0x28: 0x00007f69236c097d -> 0x01c4f6038bc28948 -> 0x01c4f6038bc28948\n 0x00007ffd66fd8900|+0x30: 0x00006270001b2100 -> 0x0000be0000be0000 -> 0x0000be0000be0000\n 0x00007ffd66fd8908|+0x38: 0x00000000247c0f03 -> 0x00000000247c0f03\n ------------------------------------------------------------------[ code:i386:x86-64 ]----\n 0x7f692455e10f <load_xcf_tile_rle+144> mov DWORD PTR [rbp-0x1c], 0x0\n 0x7f692455e116 <load_xcf_tile_rle+151> jmp 0x7f692455e22a <load_xcf_tile_rle+427>\n 0x7f692455e11b <load_xcf_tile_rle+156> mov rax, QWORD PTR [rbp-0x8]\n 0x7f692455e11f <load_xcf_tile_rle+160> lea rdx, [rax+0x1]\n 0x7f692455e123 <load_xcf_tile_rle+164> mov QWORD PTR [rbp-0x8], rdx\n ->0x7f692455e127 <load_xcf_tile_rle+168> movzx eax, BYTE PTR [rax]\n 0x7f692455e12a <load_xcf_tile_rle+171> mov BYTE PTR [rbp-0x41], al\n 0x7f692455e12d <load_xcf_tile_rle+174> movzx eax, BYTE PTR [rbp-0x41]\n 0x7f692455e131 <load_xcf_tile_rle+178> mov DWORD PTR [rbp-0x24], eax\n 0x7f692455e134 <load_xcf_tile_rle+181> cmp DWORD PTR [rbp-0x24], 0x7f\n 0x7f692455e138 <load_xcf_tile_rle+185> jle 0x7f692455e1b0 <load_xcf_tile_rle+305>\n --------------------------------------------------------------[ source:IMG_xcf.c+496 ]----\n 492 for (i = 0; i < bpp; i++) { //ah, we write every 'i'th byte in the Surface\n 493 d = data + i; //d is the offending variable...\n 494 size = x*y; //0x1000\n 495 count = 0;\n -> 496 \n 497 while (size > 0) { //size == amount of pixels (=>total size == x*y*bpp)\n 498 val = *t++; // #! t => OOB. Size starts at 0x1000\n 499 \n 500 length = val; //length == length of consecutive pixels that are same color?\n ---------------------------------------------------------------------------[ threads ]----\n [#0] Id 1, Name: \"\", stopped, reason: SIGSEGV\n -----------------------------------------------------------------------------[ trace ]----\n [#0] 0x7f692455e127->Name: load_xcf_tile_rle(src=0x60700000dfb0, len=0x0, bpp=0x3, x=0x40, y=0x40)\n [#1] 0x7f692455e55d->Name: do_layer_surface(surface=0x60800000be20, src=0x60700000dfb0, head=0x60700000df40, layer=0x60600000eea0, \n load_tile=0x7f692455e07f <load_xcf_tile_rle>)\n [#2] 0x7f692455ee24->Name: IMG_LoadXCF_RW(src=0x60700000dfb0)\n [#3] 0x7f692453c7ef->Name: IMG_LoadTyped_RW(src=0x60700000dfb0, freesrc=0x1, type=0x0)\n [#4] 0x7f692453c5e0->Name: IMG_Load(file=0x7ffd66fda37f \"0560874168f86c7aeeee2edcf2cea202\")\n [#5] 0x4bd553->Name: main(argc=<optimized out>, argv=<optimized out>)\n ------------------------------------------------------------------------------------------\n \n\n### Timeline\n\n2018-02-06 - Vendor Disclosure \n2018-02-07 - Vendor patched \n2018-04-10 - Public Release\n\n##### Credit\n\nDiscovered by Lilith of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0521\n\nPrevious Report\n\nTALOS-2018-0519\n", "edition": 6, "modified": "2018-04-10T00:00:00", "published": "2018-04-10T00:00:00", "id": "TALOS-2018-0520", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520", "title": "Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle Information Disclosure Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-01T21:25:20", "bulletinFamily": "info", "cvelist": ["CVE-2018-3837"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0519\n\n## Simple DirectMedia Layer SDL2_Image IMG_LoadPCX_RW Information Disclosure Vulnerability\n\n##### April 10, 2018\n\n##### CVE Number\n\nCVE-2018-3837 \n\n### Summary\n\nAn exploitable information disclosure vulnerability exists in the PCX image rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability.\n\n### Tested Versions\n\nSimple DirectMedia Layer SDL2_image 2.0.2\n\n### Product URLs\n\n<https://www.libsdl.org/projects/SDL_image/>\n\n### CVSSv3 Score\n\n5.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\n\n### CWE\n\nCWE-126: Buffer Over-read\n\n### Details\n\nLibSDL is a multi-platform library for easy access to low level hardware and graphics, providing support for a large amount of games, software, and emulators. The last known count of software using LibSDL (from 2012) listed the number at upwards of 120. The LibSDL2_Image library is an optional component that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type.\n\nWhen parsing and storing an PCX image file, the LibSDL2 library implements a custom RLE inflater for the compressed PCX data. In order to this, however, the library must first parse the PCX headers, such that it can allocate the correct amount of memory for the color data buffer. The structure of the PCX headers is listed below:\n \n \n struct PCXheader {\n \tUint8 Manufacturer;\n \tUint8 Version;\n \tUint8 Encoding;\n \tUint8 BitsPerPixel;\n \tSint16 Xmin, Ymin, Xmax, Ymax;\n \tSint16 HDpi, VDpi;\n \tUint8 Colormap[48];\n \tUint8 Reserved;\n \tUint8 NPlanes;\n \tSint16 BytesPerLine;\n \tSint16 PaletteInfo;\n \tSint16 HscreenSize;\n \tSint16 VscreenSize;\n \tUint8 Filler[54];\n };\n \n\nIt should be noted that these values are all taken directly from the PCX file itself, as one might expect. Also, for the purposes of this bug, the most important fields are the Xmin, Xmax, and BytesPerLine parameters, however (pcxh.BitsPerPixel == 8 &amp;&amp; pcxh.NPlanes == 3) must also be true in order to hit the buggy code path.\n\nWhen creating the SDL_Surface object used to store the image information, the dimensions of the image are generated as such:\n \n \n // IMG_pcx.c:118\n /* Create the surface of the appropriate type */\n \twidth = (pcxh.Xmax - pcxh.Xmin) + 1;\n \theight = (pcxh.Ymax - pcxh.Ymin) + 1;\n [\u2026] \n surface = SDL_CreateRGBSurface(SDL_SWSURFACE, width, height,\n bits, Rmask, Gmask, Bmask, Amask); //[1]\n \n\nThe width is multiplied by the height inside of [1], in order to generate the appropriate size buffer for the surface.pixels buffer, which is where the image data ends up being stored. But immediately after the pixel buffer is malloced with size (width*height), the library also mallocs another buffer:\n \n \n bpl = pcxh.NPlanes * pcxh.BytesPerLine; //[1]\n \tif (bpl > surface->pitch) {\n \t\terror = \"bytes per line is too large (corrupt?)\";\n \t}\n \tbuf = (Uint8 *)SDL_malloc(bpl); //[2]\n \trow = (Uint8 *)surface->pixels;\n \n\nAt [1], the size of this new buffer is calculated. As mentioned before, pcxh.Nplanes must be 3, however there is no such restriction on the pcxh.BytesPerLine parameter, which is read in from the input image. For purposes of the discussion, assume pcxh.BytesPerLine = 0x200. Thus, when the buf variable is populated with heap memory at [2], the size of the heap chunk is 0x600. The library then reads in the actual image data from the file into the buf variable, one row at a time. After this, the data is taken from the tmp buffer \u2018buf\u2019 and de-interlaced into the actual SDL_Surface.pixels buffer from before.\n \n \n else if(src_bits == 24) {\n \t /* de-interlace planes */\n \t Uint8 *innerSrc = buf;\n \t int plane;\n \t for(plane = 0; plane < pcxh.NPlanes; plane++) { // plane == 3\n \t int x;\n \t \tdst = row + plane;\n \tfor(x = 0; x < width; x++) { //[1]\n \t \t*dst = *innerSrc++; //[2]\n \t\tdst += pcxh.NPlanes;\n \t}\n }\n \t}\n \n\nDuring the de-interlace phase, at [2], the temporary buffer \u2018buf\u2019 is walked with the innerSrc pointer, with each row taking \u2018width\u2019 bytes [1]. When looking back, we can see that the \u2018width\u2019 variable is created as such: `width = (pcxh.Xmax - pcxh.Xmin) + 1;`, while the \u2018buf\u2019 buffer is created as such: `SDL_malloc(pcxh.NPlanes * pcxh.BytesPerLine)`. Since there\u2019s not really any checks or comparisons between the sizes of the buffer an width, if width is greater than the BytesPerLine, the loop starts to read out of bounds into the rest of the heap, resulting in an information disclosure, as the SDL_surface.pixel buffer now contains heap data.\n\n### Crash Information\n\nProgram received signal SIGSEGV, Segmentation fault. 0x00007f2d47d6f0c8 in IMG_LoadPCX_RW (src=0x60700000dfb0) at IMG_pcx.c:208 warning: Source file is more recent than executable. 208 *dst = *innerSrc++; // ASAN crash here, rax == 0x61b000020000 \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-[ registers ]\u2014- $rax : 0x000061b000020000 -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $rbx : 0x00007fffe8f637e0 -&gt; 0x00007fffe8f65374 -&gt; 0x736172635f6e6f6e -&gt; 0x736172635f6e6f6e (\u201cnon_cras\u201d?) $rcx : 0x000000000000005a -&gt; 0x000000000000005a $rdx : 0x000061b000020001 -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $rsp : 0x00007fffe8f63500 -&gt; 0x00007fffe8f635c0 -&gt; 0x000006000801050a -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $rbp : 0x00007fffe8f63660 -&gt; 0x00007fffe8f636a0 -&gt; 0x00007fffe8f636d0 -&gt; 0x0000000000000002 -&gt; 0x0000000000000002 $rsi : 0x000061600000fd60 -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $rdi : 0x00007fffe8f63520 -&gt; 0x000000000801050a -&gt; 0x000000000801050a $rip : 0x00007f2d47d6f0c8 -&gt; &lt;IMG_LoadPCX_RW+1288&gt; movzx edx, BYTE PTR [rax] $r8 : 0x000061600000fd60 -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $r9 : 0x00007fffe8f6351f -&gt; 0x0000000801050a5a -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $r10 : 0x0000000000000020 -&gt; 0x0000000000000020 $r11 : 0x000061b00000fc00 -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 $r12 : 0x00000000004bd3e4 -&gt; &lt;_start+0&gt; xor ebp, ebp $r13 : 0x00007fffe8f637d0 -&gt; 0x0000000000000002 -&gt; 0x0000000000000002 $r14 : 0xfffffffffffffff8 -&gt; 0xfffffffffffffff8 $r15 : 0x0000000000000000 -&gt; 0x0000000000000000 $eflags: [CARRY parity adjust zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification] \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013[ stack ]\u2014- 0x00007fffe8f63500|+0x00: 0x00007fffe8f635c0 -&gt; 0x000006000801050a -&gt; 0x0000000000000000 -&gt; 0x0000000000000000 &lt;-$rsp 0x00007fffe8f63508|+0x08: 0x000060700000dfb0 -&gt; 0x00007f2d47fede48 -&gt; 0x20ec8348e5894855 -&gt; 0x20ec8348e5894855 0x00007fffe8f63510|+0x10: 0x000061600000fc80 -&gt; 0xbebebebefbad2488 0x00007fffe8f63518|+0x18: 0x5a0061600000fc80 -&gt; 0x5a0061600000fc80 0x00007fffe8f63520|+0x20: 0x000000000801050a -&gt; 0x000000000801050a &lt;-$rdi 0x00007fffe8f63528|+0x28: 0x0048004801ff09ff -&gt; 0x0048004801ff09ff 0x00007fffe8f63530|+0x30: 0x0000000000000000 -&gt; 0x0000000000000000 0x00007fffe8f63538|+0x38: 0x0000000000000000 -&gt; 0x0000000000000000 \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014[ code:i386:x86-64 ]\u2014- 0x7f2d47d6f0b3 &lt;IMG_LoadPCX_RW+1267&gt; mov DWORD PTR [rbp-0x78], 0x0 0x7f2d47d6f0ba &lt;IMG_LoadPCX_RW+1274&gt; jmp 0x7f2d47d6f0e3 &lt;IMG_LoadPCX_RW+1315&gt; 0x7f2d47d6f0bc &lt;IMG_LoadPCX_RW+1276&gt; mov rax, QWORD PTR [rbp-0x70] 0x7f2d47d6f0c0 &lt;IMG_LoadPCX_RW+1280&gt; lea rdx, [rax+0x1] 0x7f2d47d6f0c4 &lt;IMG_LoadPCX_RW+1284&gt; mov QWORD PTR [rbp-0x70], rdx -&gt;0x7f2d47d6f0c8 &lt;IMG_LoadPCX_RW+1288&gt; movzx edx, BYTE PTR [rax] 0x7f2d47d6f0cb &lt;IMG_LoadPCX_RW+1291&gt; mov rax, QWORD PTR [rbp-0x50] 0x7f2d47d6f0cf &lt;IMG_LoadPCX_RW+1295&gt; mov BYTE PTR [rax], dl 0x7f2d47d6f0d1 &lt;IMG_LoadPCX_RW+1297&gt; movzx eax, BYTE PTR [rbp-0xff] 0x7f2d47d6f0d8 &lt;IMG_LoadPCX_RW+1304&gt; movzx eax, al 0x7f2d47d6f0db &lt;IMG_LoadPCX_RW+1307&gt; add QWORD PTR [rbp-0x50], rax \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013[ source:IMG_pcx.c+208 ]\u2014- 204 for(plane = 0; plane &lt; pcxh.NPlanes; plane++) { 205 int x; 206 dst = row + plane; 207 for(x = 0; x &lt; width; x++) { // innerSrc=0x00007fffe8f635f0 -&gt; [\u2026] -&gt; 0x0000000000000000, dst=0x00007fffe8f63610 -&gt; [\u2026] -&gt; 0x00006500005d0000 -&gt; 208 *dst = *innerSrc++; 209 dst += pcxh.NPlanes; 210 } 211 } 212 } \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014[ threads ]\u2014- [#0] Id 1, Name: \u201c\u201d, stopped, reason: SIGSEGV \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013[ trace ]\u2014- [#0] 0x7f2d47d6f0c8-&gt;Name: IMG_LoadPCX_RW(src=0x60700000dfb0) [#1] 0x7f2d47d697ef-&gt;Name: IMG_LoadTyped_RW(src=0x60700000dfb0, freesrc=0x1, type=0x0) [#2] 0x7f2d47d695e0-&gt;Name: IMG_Load(file=0x7fffe8f65374 \u201cnon_crashes/0436f5c6ebc8db621a0280296203bb14\u201d) [#3] 0x4bd553-&gt;Name: main(argc=, argv=) \\------------------------------------------------------------------------------------------\n\n### Timeline\n\n2018-02-06 - Vendor Disclosure \n2018-02-07 - Vendor patched \n2018-04-10 - Public Release\n\n##### Credit\n\nDiscovered by Lilith of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0520\n\nPrevious Report\n\nTALOS-2017-0327\n", "edition": 6, "modified": "2018-04-10T00:00:00", "published": "2018-04-10T00:00:00", "id": "TALOS-2018-0519", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519", "title": "Simple DirectMedia Layer SDL2_Image IMG_LoadPCX_RW Information Disclosure Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}