[gentoo-announce] [ GLSA 201903-17 ] SDL2_Image: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201903-17 ] SDL2_Image: Multiple vulnerabilities
Date:	Thu, 28 Mar 2019 02:42:46
Message-Id:	`20190328020754.GB14496@monkey`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201903-17

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: SDL2_Image: Multiple vulnerabilities

9

     Date: March 28, 2019

10

     Bugs: #655226, #674132

11

       ID: 201903-17

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in the image loading library

19

for Simple DirectMedia Layer, the worst of which could result in the

20

remote execution of arbitrary code.

21

22

Background

23

==========

24

25

SDL_image is an image file library that loads images as SDL surfaces,

26

and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM,

27

TGA, TIFF, XCF, XPM, and XV.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package              /     Vulnerable     /            Unaffected

34

    -------------------------------------------------------------------

35

  1  media-libs/sdl2-image        < 2.0.4                    >= 2.0.4 

36

37

Description

38

===========

39

40

Multiple vulnerabilities have been discovered in SDL2_Image. Please

41

review the CVE identifiers referenced below for details.

42

43

Impact

44

======

45

46

A remote attacker, by enticing a user to process a specially crafted

47

image file, could execute arbitrary code, cause a Denial of Service

48

condition, or obtain sensitive information.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All SDL2_Image users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=media-libs/sdl2-image-2.0.4"

62

63

References

64

==========

65

66

[  1 ] CVE-2017-12122

67

       https://nvd.nist.gov/vuln/detail/CVE-2017-12122

68

[  2 ] CVE-2017-14440

69

       https://nvd.nist.gov/vuln/detail/CVE-2017-14440

70

[  3 ] CVE-2017-14441

71

       https://nvd.nist.gov/vuln/detail/CVE-2017-14441

72

[  4 ] CVE-2017-14442

73

       https://nvd.nist.gov/vuln/detail/CVE-2017-14442

74

[  5 ] CVE-2017-14448

75

       https://nvd.nist.gov/vuln/detail/CVE-2017-14448

76

[  6 ] CVE-2017-14449

77

       https://nvd.nist.gov/vuln/detail/CVE-2017-14449

78

[  7 ] CVE-2017-14450

79

       https://nvd.nist.gov/vuln/detail/CVE-2017-14450

80

[  8 ] CVE-2018-3837

81

       https://nvd.nist.gov/vuln/detail/CVE-2018-3837

82

[  9 ] CVE-2018-3838

83

       https://nvd.nist.gov/vuln/detail/CVE-2018-3838

84

[ 10 ] CVE-2018-3839

85

       https://nvd.nist.gov/vuln/detail/CVE-2018-3839

86

[ 11 ] CVE-2018-3977

87

       https://nvd.nist.gov/vuln/detail/CVE-2018-3977

88

89

Availability

90

============

91

92

This GLSA and any updates to it are available for viewing at

93

the Gentoo Security Website:

94

95

 https://security.gentoo.org/glsa/201903-17

96

97

Concerns?

98

=========

99

100

Security is a primary focus of Gentoo Linux and ensuring the

101

confidentiality and security of our users' machines is of utmost

102

importance to us. Any security concerns should be addressed to

103

security@g.o or alternatively, you may file a bug at

104

https://bugs.gentoo.org.

105

106

License

107

=======

108

109

Copyright 2019 Gentoo Foundation, Inc; referenced text

110

belongs to its owner(s).

111

112

The contents of this document are licensed under the

113

Creative Commons - Attribution / Share Alike license.

114

115

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201903-17
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: SDL2_Image: Multiple vulnerabilities
9	Date: March 28, 2019
10	Bugs: #655226, #674132
11	ID: 201903-17
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in the image loading library
19	for Simple DirectMedia Layer, the worst of which could result in the
20	remote execution of arbitrary code.
21
22	Background
23	==========
24
25	SDL_image is an image file library that loads images as SDL surfaces,
26	and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM,
27	TGA, TIFF, XCF, XPM, and XV.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 media-libs/sdl2-image < 2.0.4 >= 2.0.4
36
37	Description
38	===========
39
40	Multiple vulnerabilities have been discovered in SDL2_Image. Please
41	review the CVE identifiers referenced below for details.
42
43	Impact
44	======
45
46	A remote attacker, by enticing a user to process a specially crafted
47	image file, could execute arbitrary code, cause a Denial of Service
48	condition, or obtain sensitive information.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All SDL2_Image users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=media-libs/sdl2-image-2.0.4"
62
63	References
64	==========
65
66	[ 1 ] CVE-2017-12122
67	https://nvd.nist.gov/vuln/detail/CVE-2017-12122
68	[ 2 ] CVE-2017-14440
69	https://nvd.nist.gov/vuln/detail/CVE-2017-14440
70	[ 3 ] CVE-2017-14441
71	https://nvd.nist.gov/vuln/detail/CVE-2017-14441
72	[ 4 ] CVE-2017-14442
73	https://nvd.nist.gov/vuln/detail/CVE-2017-14442
74	[ 5 ] CVE-2017-14448
75	https://nvd.nist.gov/vuln/detail/CVE-2017-14448
76	[ 6 ] CVE-2017-14449
77	https://nvd.nist.gov/vuln/detail/CVE-2017-14449
78	[ 7 ] CVE-2017-14450
79	https://nvd.nist.gov/vuln/detail/CVE-2017-14450
80	[ 8 ] CVE-2018-3837
81	https://nvd.nist.gov/vuln/detail/CVE-2018-3837
82	[ 9 ] CVE-2018-3838
83	https://nvd.nist.gov/vuln/detail/CVE-2018-3838
84	[ 10 ] CVE-2018-3839
85	https://nvd.nist.gov/vuln/detail/CVE-2018-3839
86	[ 11 ] CVE-2018-3977
87	https://nvd.nist.gov/vuln/detail/CVE-2018-3977
88
89	Availability
90	============
91
92	This GLSA and any updates to it are available for viewing at
93	the Gentoo Security Website:
94
95	https://security.gentoo.org/glsa/201903-17
96
97	Concerns?
98	=========
99
100	Security is a primary focus of Gentoo Linux and ensuring the
101	confidentiality and security of our users' machines is of utmost
102	importance to us. Any security concerns should be addressed to
103	security@g.o or alternatively, you may file a bug at
104	https://bugs.gentoo.org.
105
106	License
107	=======
108
109	Copyright 2019 Gentoo Foundation, Inc; referenced text
110	belongs to its owner(s).
111
112	The contents of this document are licensed under the
113	Creative Commons - Attribution / Share Alike license.
114
115	https://creativecommons.org/licenses/by-sa/2.5