PublicDateAtUSN: 2017-10-11 Candidate: CVE-2017-2888 PublicDate: 2017-10-11 18:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2888 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395 https://ubuntu.com/security/notices/USN-4143-1 Description: An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. Ubuntu-Description: USN-4143-1 addressed serveral vulnerabilities in SDL 2.0. This update provides the corresponding fixes for Ubuntu 14.04 ESM. Notes: mdeslaur> upstream patch likely optimized away, see Red Hat bug mdeslaur> libsdl1.2 already has a check earlier in the function Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878264 https://bugzilla.redhat.com/show_bug.cgi?id=1500623 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH] nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH] Patches_libsdl1.2: upstream_libsdl1.2: needs-triage precise/esm_libsdl1.2: not-affected (1.2.14-6.4ubuntu3.1) trusty_libsdl1.2: not-affected (2.0.2+dfsg1-3ubuntu1.2) trusty/esm_libsdl1.2: not-affected (2.0.2+dfsg1-3ubuntu1.2) vivid/ubuntu-core_libsdl1.2: DNE xenial_libsdl1.2: not-affected (2.0.4+dfsg1-2ubuntu2) esm-infra/xenial_libsdl1.2: not-affected (2.0.4+dfsg1-2ubuntu2) zesty_libsdl1.2: not-affected (2.0.5+dfsg1-2ubuntu3) artful_libsdl1.2: not-affected (2.0.6+dfsg1-2ubuntu2) bionic_libsdl1.2: not-affected (2.0.6+dfsg1-2ubuntu2) cosmic_libsdl1.2: not-affected (2.0.6+dfsg1-2ubuntu2) disco_libsdl1.2: not-affected (2.0.6+dfsg1-2ubuntu2) devel_libsdl1.2: not-affected (2.0.6+dfsg1-2ubuntu2) Patches_libsdl2: upstream: https://hg.libsdl.org/SDL/rev/7e0f1498ddb5 upstream_libsdl2: released (2.0.6+dfsg1-4) precise/esm_libsdl2: DNE trusty_libsdl2: ignored (out of standard support) trusty/esm_libsdl2: released (2.0.2+dfsg1-3ubuntu1.3) vivid/ubuntu-core_libsdl2: DNE xenial_libsdl2: released (2.0.4+dfsg1-2ubuntu2.16.04.2) zesty_libsdl2: ignored (reached end-of-life) artful_libsdl2: ignored (reached end-of-life) bionic_libsdl2: not-affected (2.0.8+dfsg1-1ubuntu1.18.04.1) cosmic_libsdl2: not-affected (2.0.8+dfsg1-1ubuntu1.18.04.1) disco_libsdl2: not-affected (2.0.8+dfsg1-1ubuntu1.18.04.1) devel_libsdl2: not-affected (2.0.8+dfsg1-1ubuntu1.18.04.1)