An exploitable code execution vulnerability exists in the XPM image
rendering function of SDL2_image 2.0.4. A specially crafted XPM image can
cause an integer overflow in the colorhash function, allocating too small
of a buffer. This buffer can then be written out of bounds, resulting in a
heap overflow, ultimately ending in code execution. An attacker can display
a specially crafted image to trigger this vulnerability.
Upstream:released (2.0.5+dfsg1-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 20.04 LTS (Focal Fossa):released (2.0.5+dfsg1-1)
Ubuntu 20.10 (Groovy Gorilla):released (2.0.5+dfsg1-1)
More Information

Updated: 2020-09-09 23:29:49 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)