Univention Bugzilla – Bug 46959
sdl-image1.2: Multiple issues (4.3)
Last modified: 2018-05-16 17:04:24 CEST
New Debian sdl-image1.2 1.2.12-5+deb9u1 fixes: This update addresses the following issues: * An exploitable information vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2018-3838) * An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2018-3839) * An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2017-14448) * An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability. (CVE-2017-2887) * An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2018-3837) * An exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2017-14442) * An exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2017-14441) * An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2017-14440) * A buffer overflow vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker can display an image to trigger this vulnerability. (CVE-2017-14450) * An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (CVE-2017-12122) An exploitable information vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability. An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14448 An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability. An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14442 CVE-2017-14441 CVE-2017-14440 CVE-2017-14450 CVE-2017-12122
[4.3-0] 54101afd30 Bug #46959: sdl-image1.2_1.2.12-5+deb9u1 doc/errata/staging/sdl-image1.2.yaml | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- mirror/ftp/4.3/unmaintained/4.3-0/source/sdl-image1.2_1.2.12-5.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/sdl-image1.2_1.2.12-5+deb9u1.dsc @@ -1,3 +1,17 @@ +1.2.12-5+deb9u1 [Sun, 15 Apr 2018 17:54:38 +0200] Felix Geyer <fgeyer@debian.org>: + + * Backport various security fixes: + - CVE-2017-2887 + - CVE-2017-12122 + - CVE-2017-14440 + - CVE-2017-14441 + - CVE-2017-14442 + - CVE-2017-14448 + - CVE-2017-14450 + - CVE-2018-3837 + - CVE-2018-3838 + - CVE-2018-3839 + 1.2.12-5 [Sun, 01 Sep 2013 13:03:02 +0200] Felix Geyer <fgeyer@debian.org>: * Really regenerate autoconf files. The upstream autogen.sh doesn't
* No UCS specific patches * Comparison to previously shipped version ok * Binary package update Ok * Advisory adjusted: b1b1d847c1 | Sort CVEs
<http://errata.software-univention.de/ucs/4.3/72.html>