Security update for SDL2_image SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2108-1 Final 1 1 2019-09-10T14:20:24Z current 2019-09-10T14:20:24Z 2019-09-10T14:20:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SDL2_image This update for SDL2_image fixes the following issues: Update to new upstream release 2.0.5. Security issues fixed: * TALOS-2019-0820 CVE-2019-5051: exploitable heap-based buffer overflow vulnerability when loading a PCX file (boo#1140419) * TALOS-2019-0821 CVE-2019-5052: exploitable integer overflow vulnerability when loading a PCX file (boo#1140421) * TALOS-2019-0841 CVE-2019-5057: code execution vulnerability in the PCX image-rendering functionality of SDL2_image (boo#1143763) * TALOS-2019-0842 CVE-2019-5058: heap overflow in XCF image rendering can lead to code execution (boo#1143764) * TALOS-2019-0843 CVE-2019-5059: heap overflow in XPM image (boo#1143766) * TALOS-2019-0844 CVE-2019-5060: integer overflow in the XPM image (boo#1143768) Not mentioned by upstream, but issues seemingly further fixed: * CVE-2019-12218: NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW (boo#1135789) * CVE-2019-12217: NULL pointer dereference in the SDL stdio_read function (boo#1135787) * CVE-2019-12220: SDL_image triggers an out-of-bounds read in the SDL function SDL_FreePalette_REAL (boo#1135806) * CVE-2019-12221: a SEGV caused by SDL_image in SDL function SDL_free_REAL in stdlib/SDL_malloc.c (boo#1135796) * CVE-2019-12222: out-of-bounds read triggered by SDL_image in the function SDL_InvalidateMap at video/SDL_pixels.c (boo#1136101) * CVE-2019-13616: fix heap buffer overflow when reading a crafted bmp file (boo#1141844). This update was imported from the openSUSE:Leap:15.0:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2108 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 E-Mail link for openSUSE-SU-2019:2108-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1135787 SUSE Bug 1135787 https://bugzilla.suse.com/1135789 SUSE Bug 1135789 https://bugzilla.suse.com/1135796 SUSE Bug 1135796 https://bugzilla.suse.com/1135806 SUSE Bug 1135806 https://bugzilla.suse.com/1136101 SUSE Bug 1136101 https://bugzilla.suse.com/1140419 SUSE Bug 1140419 https://bugzilla.suse.com/1140421 SUSE Bug 1140421 https://bugzilla.suse.com/1141844 SUSE Bug 1141844 https://bugzilla.suse.com/1143763 SUSE Bug 1143763 https://bugzilla.suse.com/1143764 SUSE Bug 1143764 https://bugzilla.suse.com/1143766 SUSE Bug 1143766 https://bugzilla.suse.com/1143768 SUSE Bug 1143768 https://www.suse.com/security/cve/CVE-2019-12217/ SUSE CVE CVE-2019-12217 page https://www.suse.com/security/cve/CVE-2019-12218/ SUSE CVE CVE-2019-12218 page https://www.suse.com/security/cve/CVE-2019-12220/ SUSE CVE CVE-2019-12220 page https://www.suse.com/security/cve/CVE-2019-12221/ SUSE CVE CVE-2019-12221 page https://www.suse.com/security/cve/CVE-2019-12222/ SUSE CVE CVE-2019-12222 page https://www.suse.com/security/cve/CVE-2019-13616/ SUSE CVE CVE-2019-13616 page https://www.suse.com/security/cve/CVE-2019-5051/ SUSE CVE CVE-2019-5051 page https://www.suse.com/security/cve/CVE-2019-5052/ SUSE CVE CVE-2019-5052 page https://www.suse.com/security/cve/CVE-2019-5057/ SUSE CVE CVE-2019-5057 page https://www.suse.com/security/cve/CVE-2019-5058/ SUSE CVE CVE-2019-5058 page https://www.suse.com/security/cve/CVE-2019-5059/ SUSE CVE CVE-2019-5059 page https://www.suse.com/security/cve/CVE-2019-5060/ SUSE CVE CVE-2019-5060 page SUSE Package Hub 15 SUSE Package Hub 15 SP1 libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 libSDL2_image-devel-2.0.5-bp151.4.3.1 libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libSDL2_image-devel-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libSDL2_image-devel-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL stdio_read function in file/SDL_rwops.c. CVE-2019-12217 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-12217.html CVE-2019-12217 https://bugzilla.suse.com/1135787 SUSE Bug 1135787 An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a NULL pointer dereference in the SDL2_image function IMG_LoadPCX_RW at IMG_pcx.c. CVE-2019-12218 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-12218.html CVE-2019-12218 https://bugzilla.suse.com/1135789 SUSE Bug 1135789 An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is an out-of-bounds read in the SDL function SDL_FreePalette_REAL at video/SDL_pixels.c. CVE-2019-12220 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-12220.html CVE-2019-12220 https://bugzilla.suse.com/1135806 SUSE Bug 1135806 An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9 when used in conjunction with libSDL2_image.a in SDL2_image 2.0.4. There is a SEGV in the SDL function SDL_free_REAL at stdlib/SDL_malloc.c. CVE-2019-12221 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-12221.html CVE-2019-12221 https://bugzilla.suse.com/1135796 SUSE Bug 1135796 An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) 2.0.9. There is an out-of-bounds read in the function SDL_InvalidateMap at video/SDL_pixels.c. CVE-2019-12222 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-12222.html CVE-2019-12222 https://bugzilla.suse.com/1136101 SUSE Bug 1136101 SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. CVE-2019-13616 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-13616.html CVE-2019-13616 https://bugzilla.suse.com/1141844 SUSE Bug 1141844 An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. CVE-2019-5051 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-5051.html CVE-2019-5051 https://bugzilla.suse.com/1140419 SUSE Bug 1140419 An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4. A specially crafted file can cause an integer overflow, resulting in too little memory being allocated, which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. CVE-2019-5052 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-5052.html CVE-2019-5052 https://bugzilla.suse.com/1140421 SUSE Bug 1140421 An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_image 2.0.4. A specially crafted PCX image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2019-5057 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-5057.html CVE-2019-5057 https://bugzilla.suse.com/1143763 SUSE Bug 1143763 An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2019-5058 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-5058.html CVE-2019-5058 https://bugzilla.suse.com/1143764 SUSE Bug 1143764 An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow, allocating too small of a buffer. This buffer can then be written out of bounds resulting in a heap overflow, ultimately ending in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2019-5059 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-5059.html CVE-2019-5059 https://bugzilla.suse.com/1143766 SUSE Bug 1143766 An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow in the colorhash function, allocating too small of a buffer. This buffer can then be written out of bounds, resulting in a heap overflow, ultimately ending in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2019-5060 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.5-bp151.4.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.5-bp151.4.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L64IV5QDMXKI6JPESXNTCMESEKNUADR2/#L64IV5QDMXKI6JPESXNTCMESEKNUADR2 https://www.suse.com/security/cve/CVE-2019-5060.html CVE-2019-5060 https://bugzilla.suse.com/1143768 SUSE Bug 1143768