SB2019032819 - Gentoo update for SDL2_Image
Published: March 28, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2017-12122)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the ILBM image rendering functionality due to heap-based buffer overflow. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
2) Stack-based buffer overflow (CVE-ID: CVE-2017-14440)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the ILBM image rendering functionality due to stack-based buffer overflow. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
3) Integer overflow (CVE-ID: CVE-2017-14441)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the ICO image rendering functionality due to integer overflow. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
4) Stack-based buffer overflow (CVE-ID: CVE-2017-14442)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the BMP image rendering functionality due to stack-based buffer overflow. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
5) Heap-based buffer overflow (CVE-ID: CVE-2017-14448)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the XCF image rendering functionality due to heap-based buffer overflow. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
6) Double free (CVE-ID: CVE-2017-14449)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the XCF image rendering functionality due to double free. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
7) Buffer overflow (CVE-ID: CVE-2017-14450)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the GIF image parsing functionality due to buffer overflow. A remote attacker can send a specially crafted image, trick the victim into opening it and execute arbitrary code.
8) Out-of-bounds read (CVE-ID: CVE-2018-3837)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the PCX image rendering functionality due to out-of-bounds read on the heap. A remote attacker can display a specially crafted PCX image, trick the victim into opening it and gain access to potentially sensitive information.
9) Out-of-bounds read (CVE-ID: CVE-2018-3838)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in the XCF image rendering functionality due to out-of-bounds read on the heap. A remote attacker can display a specially crafted XCF image, trick the victim into opening it and gain access to potentially sensitive information.
10) Out-of-bounds write (CVE-ID: CVE-2018-3839)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in the XCF image rendering functionality due to out-of-bounds write on the heap. A remote attacker can display a specially crafted XCF image, trick the victim into opening it and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
11) Heap-based buffer overflow (CVE-ID: CVE-2018-3977)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to heap-based buffer overflow in the XCF image rendering functionality. A remote unauthenticated attacker can supply a specially crafted XCF image, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.