Security update for SDL2, SDL2_image SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0734-1 Final 1 1 2018-03-18T10:34:15Z current 2018-03-18T10:34:15Z 2018-03-18T10:34:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SDL2, SDL2_image This update for SDL2 and SDL2_image fixes the following issues: - CVE-2017-14441: Code execution in the ICO image rendering (bsc#1084282). - CVE-2017-14440: Potential code execution in the ILBM image rendering functionality (bsc#1084257). - CVE-2017-12122: Potential code execution in the ILBM image rendering fuctionality (bsc#1084256). - CVE-2017-14448: Heap buffer overflow in the XCF image rendering functionality (bsc#1084303). - CVE-2017-14449: Double-Free in the XCF image rendering (bsc#1084297). - CVE-2017-14442: Stack buffer overflow the BMP image rendering functionality (bsc#1084304). - CVE-2017-14450: Buffer overflow in the GIF image parsing (bsc#1084288). Bug fixes: - boo#1025413: Add dbus-ime.diff and build with fcitx. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html E-Mail link for openSUSE-SU-2018:0734-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 SDL2-2.0.8-18.1 SDL2_image-2.0.3-13.10.1 libSDL2-2_0-0-2.0.8-18.1 libSDL2-2_0-0-32bit-2.0.8-18.1 libSDL2-devel-2.0.8-18.1 libSDL2-devel-32bit-2.0.8-18.1 libSDL2_image-2_0-0-2.0.3-13.10.1 libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 libSDL2_image-devel-2.0.3-13.10.1 libSDL2_image-devel-32bit-2.0.3-13.10.1 SDL2-2.0.8-18.1 as a component of openSUSE Leap 42.3 SDL2_image-2.0.3-13.10.1 as a component of openSUSE Leap 42.3 libSDL2-2_0-0-2.0.8-18.1 as a component of openSUSE Leap 42.3 libSDL2-2_0-0-32bit-2.0.8-18.1 as a component of openSUSE Leap 42.3 libSDL2-devel-2.0.8-18.1 as a component of openSUSE Leap 42.3 libSDL2-devel-32bit-2.0.8-18.1 as a component of openSUSE Leap 42.3 libSDL2_image-2_0-0-2.0.3-13.10.1 as a component of openSUSE Leap 42.3 libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 as a component of openSUSE Leap 42.3 libSDL2_image-devel-2.0.3-13.10.1 as a component of openSUSE Leap 42.3 libSDL2_image-devel-32bit-2.0.3-13.10.1 as a component of openSUSE Leap 42.3 An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-12122 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-12122.html CVE-2017-12122 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084257 SUSE Bug 1084257 An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14440 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-14440.html CVE-2017-14440 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084257 SUSE Bug 1084257 An exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14441 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-14441.html CVE-2017-14441 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084282 SUSE Bug 1084282 An exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14442 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-14442.html CVE-2017-14442 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084304 SUSE Bug 1084304 An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14448 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-14448.html CVE-2017-14448 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084303 SUSE Bug 1084303 A double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2017-14449 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-14449.html CVE-2017-14449 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084297 SUSE Bug 1084297 A buffer overflow vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker can display an image to trigger this vulnerability. CVE-2017-14450 openSUSE Leap 42.3:SDL2-2.0.8-18.1 openSUSE Leap 42.3:SDL2_image-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2-2_0-0-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-2_0-0-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-2.0.8-18.1 openSUSE Leap 42.3:libSDL2-devel-32bit-2.0.8-18.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-2_0-0-32bit-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-2.0.3-13.10.1 openSUSE Leap 42.3:libSDL2_image-devel-32bit-2.0.3-13.10.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00047.html https://www.suse.com/security/cve/CVE-2017-14450.html CVE-2017-14450 https://bugzilla.suse.com/1084256 SUSE Bug 1084256 https://bugzilla.suse.com/1084288 SUSE Bug 1084288