Buffer overflow in sdl2_image (Alpine package)



| Updated: 2023-03-07
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-12221
CWE-ID CWE-119
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
 sdl2_image (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Buffer overflow

EUVDB-ID: #VU19294

Risk: Low

CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-12221

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary error when processing images in the SDL_free_REAL() function at stdlib/SDL_malloc.c. A remote attacker can create a specially crafted image, trick the victim into opening it, trigger memory corruption and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

sdl2_image (Alpine package): 2.0.2-r1 - 2.0.4-r0

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=f39cc4a76fb62bedd5c496cbc5e5893066fc79e6
https://git.alpinelinux.org/aports/commit/?id=55de9cfbb9d142a1a279c1ca0e6f81b533b56051
https://git.alpinelinux.org/aports/commit/?id=9f6b061f48c397e4e666fcf6f75fabe92b6033d2


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###