Security update for SDL2_image SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3906-1 Final 1 1 2018-11-24T17:19:59Z current 2018-11-24T17:19:59Z 2018-11-24T17:19:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for SDL2_image This update for SDL2_image fixes the following issues: Security issues fixed: - CVE-2018-3839: Fixed an exploitable code execution vulnerability that existed in the XCF image rendering functionality of the Simple DirectMedia Layer (bsc#1089087). - CVE-2018-3977: Fixed a possible code execution via creafted XCF image that could have caused a heap overflow (bsc#1114519). This update was imported from the openSUSE:Leap:15.0:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-1467 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HQVNFPNLELYLGSLFGHD2PGATNGD5RZRD/#HQVNFPNLELYLGSLFGHD2PGATNGD5RZRD E-Mail link for openSUSE-SU-2018:3906-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1089087 SUSE Bug 1089087 https://bugzilla.suse.com/1114519 SUSE Bug 1114519 https://www.suse.com/security/cve/CVE-2018-3839/ SUSE CVE CVE-2018-3839 page https://www.suse.com/security/cve/CVE-2018-3977/ SUSE CVE CVE-2018-3977 page SUSE Package Hub 15 libSDL2_image-2_0-0-2.0.4-bp150.3.3.1 libSDL2_image-2_0-0-64bit-2.0.4-bp150.3.3.1 libSDL2_image-devel-2.0.4-bp150.3.3.1 libSDL2_image-devel-64bit-2.0.4-bp150.3.3.1 libSDL2_image-2_0-0-2.0.4-bp150.3.3.1 as a component of SUSE Package Hub 15 libSDL2_image-2_0-0-64bit-2.0.4-bp150.3.3.1 as a component of SUSE Package Hub 15 libSDL2_image-devel-2.0.4-bp150.3.3.1 as a component of SUSE Package Hub 15 libSDL2_image-devel-64bit-2.0.4-bp150.3.3.1 as a component of SUSE Package Hub 15 An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2018-3839 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.4-bp150.3.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.4-bp150.3.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.4-bp150.3.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.4-bp150.3.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HQVNFPNLELYLGSLFGHD2PGATNGD5RZRD/#HQVNFPNLELYLGSLFGHD2PGATNGD5RZRD https://www.suse.com/security/cve/CVE-2018-3839.html CVE-2018-3839 https://bugzilla.suse.com/1089087 SUSE Bug 1089087 An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.3. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. CVE-2018-3977 SUSE Package Hub 15:libSDL2_image-2_0-0-2.0.4-bp150.3.3.1 SUSE Package Hub 15:libSDL2_image-2_0-0-64bit-2.0.4-bp150.3.3.1 SUSE Package Hub 15:libSDL2_image-devel-2.0.4-bp150.3.3.1 SUSE Package Hub 15:libSDL2_image-devel-64bit-2.0.4-bp150.3.3.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HQVNFPNLELYLGSLFGHD2PGATNGD5RZRD/#HQVNFPNLELYLGSLFGHD2PGATNGD5RZRD https://www.suse.com/security/cve/CVE-2018-3977.html CVE-2018-3977 https://bugzilla.suse.com/1114519 SUSE Bug 1114519