Bug#1010671: libsdl2-ttf-dev: CVE-2022-27470 - Arbitrary memory overwrite loading glyphs and rendering text
Simon McVittie
smcv at debian.org
Mon May 9 12:59:42 BST 2022
On Fri, 06 May 2022 at 15:25:00 +0100, Neil Williams wrote:
> CVE-2022-27470[0]:
> | SDL_ttf v2.0.18 and below was discovered to contain an arbitrary
> | memory write via the function TTF_RenderText_Solid(). This
> | vulnerability is triggered via a crafted TTF file.
Does the security team intend to do a DSA for this, or is it
considered to be stable-point-release material?
If I'm understanding the issue correctly, it's only a problem if a user
of SDL_ttf is using an untrusted TTF font file, which is a relatively
unusual thing to do: normally games either rely on system fonts, or bundle
a font in the game data, both of which are trusted (if only because anyone
in a position to insert a crafted font file could equally well insert
malicious code).
smcv
More information about the Pkg-sdl-maintainers
mailing list