CVE-2021-33657

Note

The POC from the SDL issue link only reproduces in versions
2.0.16 and 2.0.18 because of the following commit
https://github.com/libsdl-org/SDL/commit/fed84650
In older versions of libsdl2 and also libsdl1.2, even though
the commit above is not present, I think that there might be a
slight chance to trick the lib with a special crafted input to
cause the heap overflow, and patching will not cause any harm.

Package	Release	Status
libsdl1.2 Launchpad, Ubuntu, Debian	jammy	Needed
	lunar	Needed
	upstream	Needs triage
	focal	Needed
	bionic	Released (1.2.15+dfsg2-0.1ubuntu0.2)
	trusty	Released (1.2.15-8ubuntu1.1+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	xenial	Released (1.2.15+dfsg1-3ubuntu0.1+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	impish	Ignored (end of life)
	kinetic	Ignored (end of life, was needed)
libsdl2 Launchpad, Ubuntu, Debian	jammy	Not vulnerable (2.0.20+dfsg-2)
	kinetic	Not vulnerable (2.0.20+dfsg-2)
	lunar	Not vulnerable (2.0.20+dfsg-2)
	bionic	Needed
	focal	Needed
	xenial	Needed
	trusty	Needed
	impish	Released (2.0.14+dfsg2-3ubuntu0.1)
	upstream	Released (2.0.20)
	Patches: upstream: https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9

Parameter	Value
Base score	8.8
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Security

CVE-2021-33657

Notes

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading