Your submission was sent successfully! Close

CVE-2017-2888

Published: 11 October 2017

An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

From the Ubuntu Security Team

USN-4143-1 addressed serveral vulnerabilities in SDL 2.0. This update provides the corresponding fixes for Ubuntu 14.04 ESM.

Notes

AuthorNote
mdeslaur
upstream patch likely optimized away, see Red Hat bug
libsdl1.2 already has a check earlier in the function
Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
libsdl1.2
Launchpad, Ubuntu, Debian
artful Not vulnerable
(2.0.6+dfsg1-2ubuntu2)
bionic Not vulnerable
(2.0.6+dfsg1-2ubuntu2)
cosmic Not vulnerable
(2.0.6+dfsg1-2ubuntu2)
disco Not vulnerable
(2.0.6+dfsg1-2ubuntu2)
precise Not vulnerable
(1.2.14-6.4ubuntu3.1)
trusty Not vulnerable
(2.0.2+dfsg1-3ubuntu1.2)
upstream Needs triage

xenial Not vulnerable
(2.0.4+dfsg1-2ubuntu2)
zesty Not vulnerable
(2.0.5+dfsg1-2ubuntu3)
libsdl2
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
(2.0.8+dfsg1-1ubuntu1.18.04.1)
cosmic Not vulnerable
(2.0.8+dfsg1-1ubuntu1.18.04.1)
disco Not vulnerable
(2.0.8+dfsg1-1ubuntu1.18.04.1)
precise Does not exist

trusty
Released (2.0.2+dfsg1-3ubuntu1.3)
upstream
Released (2.0.6+dfsg1-4)
xenial
Released (2.0.4+dfsg1-2ubuntu2.16.04.2)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://hg.libsdl.org/SDL/rev/7e0f1498ddb5