Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability

Salvatore Bonaccorso carnil at debian.org
Thu Nov 1 21:47:20 GMT 2018

Source: libsdl2-image
Version: 2.0.3+dfsg1-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2.0.1+dfsg-1
Control: found -1 2.0.1+dfsg-2+deb9u1
Control: clone -1 -2
Control: retitle -2 sdl-image1.2: CVE-2018-3977: do_layer_surface code execution vulnerability
Control: reassign -2 src:sdl-image1.2 1.2.12-9
Control: found -2 1.2.12-5
Control: found -2 1.2.12-5+deb9u1


The following vulnerability was published for libsdl2-image.

| An exploitable code execution vulnerability exists in the XCF image
| rendering functionality of SDL2_image-2.0.3. A specially crafted XCF
| image can cause a heap overflow, resulting in code execution. An
| attacker can display a specially crafted image to trigger this
| vulnerability.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-3977
[1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645
[2] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8

Please adjust the affected versions in the BTS as needed.


More information about the Pkg-sdl-maintainers mailing list