Bug#912618: Fwd: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Chris Lamb
lamby at debian.org
Wed Nov 7 22:09:37 GMT 2018
(Forwarding for completeness)
----- Original message -----
From: Moritz Mühlenhoff <jmm at inutil.org>
To: Chris Lamb <lamby at debian.org>
Cc: "Manuel A. Fernandez Montecelo" <manuel.montezelo at gmail.com>, team at security.debian.org
Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability
Date: Wed, 7 Nov 2018 23:07:52 +0100
On Wed, Nov 07, 2018 at 05:02:39PM -0500, Chris Lamb wrote:
> Dear Moritz,
>
> I notice you (?) dropped the related bug numbers. Was this deliberate?
Sorry, accidental. I meant to strip Salvatore as he's already getting those
mails via team at sdo and dropped the bugs by accident.
> > I don't think this warrants a DSA, IMG_LoadXCF_RW() doesn't seem be in use
> > in the archive at all and it's hard to imagine a real world SDL application
> > parsinf XCF files from untrusted sources.
>
> ACK here. I've updated the tracker for stretch here:
>
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb671421029223793d3e1e7c4e07d898a1a3aedb
>
> (Let me know if I shouldn't ever touch stable.)
Thanks, commiting changes for stable is totally fine if it's recording
existing discussions!
Cheers,
Moritz
More information about the Pkg-sdl-maintainers
mailing list