Bugzilla – Bug 1062784
VUL-0: CVE-2017-2888: SDL: Incorrect XCF property handling
Last modified: 2019-03-18 17:35:45 UTC
+++ This bug was initially created as a clone of Bug #1062777 +++ This bug covers only CVE-2017-2888 that affects SDL. rh#1500623 An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395 Upstream fix: http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 References: https://bugzilla.redhat.com/show_bug.cgi?id=1500623 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2888
Fix submitted for Factory (devel project ) - https://build.opensuse.org/request/show/535102 leap 42.3 - https://build.opensuse.org/request/show/535101 openSUSE:Backports:SLE-12 - https://build.opensuse.org/request/show/535100 SLE15 will auto submit from Factory and SLE12 does not have SDL2.
(In reply to Alexander Bergmann from comment #0) > > Upstream fix: > http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 Just for reference - the above fix is outdated. submitted fix is backported from newer upstream fix - https://hg.libsdl.org/SDL/rev/81a4950907a0
Please include openSUSE Leap 42.2 in your submission.
Please mention the bnc# numbers in the .changes files
Could I get some clarification here. (In reply to Marcus Meissner from comment #4) > Please mention the bnc# numbers in the .changes files I already had "-bnc1062784-" as part of the .changes file. I added "bnc#1062784". The "bnc#" vs "bnc" is needed for automated script checking? (In reply to Andreas Stieger from comment #3) > Please include openSUSE Leap 42.2 in your submission. To add that submission I did a "osc mbranch SDL2". However the leap42.2 package that was created already had my submission included in it even though as you noted I did not submit to 42.2 earlier. Looking at the package log it indicates it automatically fetched updates from openSUSE:Maintenance:7397 ? In a maintenance submission I did a few months ago I did an "mbranch foo" and then one submission at the project level for the several sub packages. I was asked to create separate submissions. I did that for this submission - however looking at the history it looks like my separate submission were combined into one submission. 535100 was superseded (not by me) and combined into 535101. In the future should I do separate submissions or one joint one ?
submitted for leap 42.2 - https://build.opensuse.org/request/show/535536 leap 42.3 - https://build.opensuse.org/request/show/535535 openSUSE:Backports:SLE-12 - https://build.opensuse.org/request/show/535534
submit requests were accepted so moving to security team.
openSUSE-SU-2017:2893-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1062784 CVE References: CVE-2017-2888 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): SDL2-2.0.5-7.1
openSUSE-SU-2017:2895-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1062784 CVE References: CVE-2017-2888 Sources used: openSUSE Leap 42.3 (src): SDL2-2.0.3-14.1 openSUSE Leap 42.2 (src): SDL2-2.0.3-9.5.1
closing