Security update for SDL_image

SUSE Security Update: Security update for SDL_image
Announcement ID: SUSE-SU-2018:3657-1
Rating: moderate
References: #1084256 #1084257 #1084288 #1084303 #1084304 #1089087
Cross-References: CVE-2017-12122 CVE-2017-14440 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 CVE-2018-3839
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

An update that fixes 6 vulnerabilities is now available.

Description:

This update for SDL_image fixes the following issues:

  • CVE-2017-14442: A specially crafted BMP image could have caused a stack overflow for an attacker that can display a specially crafted image (bsc#1084304).
  • CVE-2017-14450: A specially crafted GIF image could have caused a buffer overflow on a global section for an attacker that can display an image (bsc#1084288).
  • CVE-2017-12122: An exploitable code execution vulnerability exists in the ILBM image rendering functionality. A specially crafted ILBM image can cause a heap overflow resulting in code execution. (bsc#1084256).
  • CVE-2017-14440: An exploitable code execution vulnerability exists in the ILBM image rendering functionality. A specially crafted ILBM image can cause a stack overflow resulting in code execution. (bsc#1084257).
  • CVE-2017-14448: An exploitable code execution vulnerability exists in the XCF image rendering functionality. A specially crafted XCF image can cause a heap overflow resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. (bsc#1084303).
  • CVE-2018-3839: An exploitable code execution vulnerability exists in the XCF image rendering functionality. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. (bsc#1089087).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Software Development Kit 11-SP4:
    zypper in -t patch sdksp4-SDL_image-13859=1
  • SUSE Linux Enterprise Debuginfo 11-SP4:
    zypper in -t patch dbgsp4-SDL_image-13859=1

Package List:

  • SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64):
    • SDL_image-1.2.6-84.42.1
    • SDL_image-devel-1.2.6-84.42.1
  • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
    • SDL_image-debuginfo-1.2.6-84.42.1
    • SDL_image-debugsource-1.2.6-84.42.1

References: