Bug#878266: libsdl2-image: CVE-2017-2887: Incorrect XCF property handling
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 11 21:22:10 UTC 2017
Source: libsdl2-image
Version: 2.0.1+dfsg-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:sdl-image1.2
Control: found -2 1.2.12-1
Control: retitle -2 sdl-image1.2: CVE-2017-2887: Incorrect XCF property handling
Hi,
the following vulnerability was published for libsdl2-image.
CVE-2017-2887[0]:
| An exploitable buffer overflow vulnerability exists in the XCF
| property handling functionality of SDL_image 2.0.1. A specially
| crafted xcf file can cause a stack-based buffer overflow resulting in
| potential code execution. An attacker can provide a specially crafted
| XCF file to trigger this vulnerability.
The same is found in sdl-image1.2 afaics, but please double check. I'm
cloning this bug for the second source package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2887
[1] https://hg.libsdl.org/SDL_image/rev/318484db0705
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-sdl-maintainers
mailing list