SDL2_Image: Multiple vulnerabilities — GLSA 201903-17

Multiple vulnerabilities have been found in the image loading library for Simple DirectMedia Layer, the worst of which could result in the remote execution of arbitrary code.

Affected packages

media-libs/sdl2-image on all architectures
Affected versions < 2.0.4
Unaffected versions >= 2.0.4

Background

SDL_image is an image file library that loads images as SDL surfaces, and supports various formats like BMP, GIF, JPEG, LBM, PCX, PNG, PNM, TGA, TIFF, XCF, XPM, and XV.

Description

Multiple vulnerabilities have been discovered in SDL2_Image. Please review the CVE identifiers referenced below for details.

Impact

A remote attacker, by enticing a user to process a specially crafted image file, could execute arbitrary code, cause a Denial of Service condition, or obtain sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All SDL2_Image users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-libs/sdl2-image-2.0.4"
 

References

Release date
March 28, 2019

Latest revision
March 28, 2019: 1

Severity
normal

Exploitable
local, remote

Bugzilla entries