Bug 1062777 - (CVE-2017-2887) VUL-0: CVE-2017-2887: SDL_image: Incorrect XCF property handling
(CVE-2017-2887)
VUL-0: CVE-2017-2887: SDL_image: Incorrect XCF property handling
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/193156/
CVSSv2:SUSE:CVE-2017-2887:7.2:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-11 12:08 UTC by Alexander Bergmann
Modified: 2020-11-10 21:21 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-10-11 12:08:06 UTC
rh#1500450

An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0394

rh#1500623

An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395

Upstream fix:
http://hg.libsdl.org/SDL/rev/7e0f1498ddb5


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1500623
https://bugzilla.redhat.com/show_bug.cgi?id=1500450
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2888
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2888
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2887
Comment 1 Alexander Bergmann 2017-10-11 13:57:48 UTC
This bug covers only SDL_image with CVE-2017-2887.

CVE-2017-2888 is addressed in bsc#1062784.
Comment 2 Alexander Bergmann 2017-10-11 14:00:05 UTC
Upstream fix:
http://hg.libsdl.org/SDL_image/rev/318484db0705
Comment 3 Swamp Workflow Management 2018-02-09 18:10:10 UTC
This is an autogenerated message for OBS integration:
This bug (1062777) was mentioned in
https://build.opensuse.org/request/show/574778 42.3 / SDL2_image
Comment 4 Andreas Stieger 2018-02-13 20:49:27 UTC
Version bump fails to build in target, please check:
https://build.opensuse.org/package/live_build_log/openSUSE:Maintenance:7792/SDL2_image.openSUSE_Leap_42.3_Update/openSUSE_Leap_42.3_Update/x86_64

[   84s] ./.libs/libSDL2_image.so: undefined reference to `SDL_LoadFile_RW'
[   84s] collect2: error: ld returned 1 exit status

Function appears to be new in SDL 2.0.6.
Comment 5 Swamp Workflow Management 2018-02-14 11:30:05 UTC
This is an autogenerated message for OBS integration:
This bug (1062777) was mentioned in
https://build.opensuse.org/request/show/576491 42.3 / SDL2_image
Comment 7 Swamp Workflow Management 2018-02-15 23:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1062777) was mentioned in
https://build.opensuse.org/request/show/577116 42.3 / SDL2_image+SDL_image
Comment 8 Swamp Workflow Management 2018-02-20 17:11:30 UTC
openSUSE-SU-2018:0490-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1062777
CVE References: CVE-2017-2887
Sources used:
openSUSE Leap 42.3 (src):    SDL2_image-2.0.0-13.7.1, SDL_image-1.2.12-16.3.1
Comment 9 Marcus Meissner 2018-02-21 06:34:41 UTC
ignroring sle11, released