Operating System:

[Debian]

Published:

23 July 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.2738 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2738
                [DLA 1861-1] libsdl2-image security update
                               23 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libsdl2-image
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12222 CVE-2019-12221 CVE-2019-12220
                   CVE-2019-12219 CVE-2019-12218 CVE-2019-12217
                   CVE-2019-12216 CVE-2019-7635 CVE-2019-5052
                   CVE-2018-3977  

Reference:         ESB-2019.2471

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2019/07/msg00021.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libsdl2-image
Version        : 2.0.0+dfsg-3+deb8u2
CVE ID         : CVE-2018-3977 CVE-2019-5052 CVE-2019-7635 CVE-2019-12216 
                 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 CVE-2019-12220 
                 CVE-2019-12221 CVE-2019-12222
Debian Bug     : 932754, 932755


The following issues have been found in libsdl2-image, the image file loading
library.

CVE-2018-3977

    Heap buffer overflow in IMG_xcf.c. This vulnerability might be leveraged by
    remote attackers to cause remote code execution or denial of service via a
    crafted XCF file.

CVE-2019-5052

    Integer overflow and subsequent buffer overflow in IMG_pcx.c. This
    vulnerability might be leveraged by remote attackers to cause remote code
    execution or denial of service via a crafted PCX file.

CVE-2019-7635

    Heap buffer overflow affecting Blit1to4, in IMG_bmp.c. This vulnerability
    might be leveraged by remote attackers to cause denial of service or any
    other unspecified impact via a crafted BMP file.

CVE-2019-12216,
CVE-2019-12217,
CVE-2019-12218,
CVE-2019-12219,
CVE-2019-12220,
CVE-2019-12221,
CVE-2019-12222

    Multiple out-of-bound read and write accesses affecting IMG_LoadPCX_RW, in
    IMG_pcx.c. These vulnerabilities might be leveraged by remote attackers to
    cause denial of service or any other unspecified impact via a crafted PCX
    file.

For Debian 8 "Jessie", these problems have been fixed in version
2.0.0+dfsg-3+deb8u2.

We recommend that you upgrade your libsdl2-image packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl02EU0ACgkQEeMFjl5E
GkLZ+Av/Syo6qR4z18viJ7PSsczhO2eZQP4uk3BbtqSc2nfRTmU84gvaQscFtuSO
L3BDgTgnzeN4CVZuzZAPuLQknav37nHQ/wzjrzGqCjqYh1zruZgwcZXPtyXjAjBp
O31bKpbwJ6H1szKanCOZ0JOUpDAdWQ9q5zvktw/f1HGcFPHOum/1fDyUnghG9h/V
9L+8Fh12Kx2yifExw6gFRaAVEUftUnibr0iff8XUZFul4b4hB6N01yrkEXgRaZZH
VoRXU32y0gpkbkOhuGq05mkY+Ds0o8/xG59yvqmLNQ75zcdFjfkQrwddmo/huciH
v2TvBe4AssPrDamxoPl8N0VikFPo9D3Z+XGExAVNgy+59JO8Da18vUbUGze6hNHh
Z28YDU/u0dNzsElnP87HCsZ/nDeaxRaPR6jH/qMEPKrVEPulS71vE+dX7BqrSoFD
qx0A4SOOl56FxeFudNQv3jGsivsCdlAQKh2L8jmvrHrCv4Vs4Vg7QRZ2BjDhRtXo
qEyQJQyC
=79YB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXTZqLmaOgq3Tt24GAQjErg/6AsVoNURrdjK2X2O1FxwIxfFx4bIOtKnJ
o3Yna/1wGugAELVIu6hxJcM2P0iIYyQti3l8fS+oVr8RqgZ7/044kNRm2g6HE6nT
fg1YuBXC6HROvqFry7/YP2AvvzTB0QR9jsaKNSTxhX56FgijMwVo4+JrNf53y1/d
lp3PUteQ101yPQJXT8CZnU49m9wY6X6PjmVmqWSaUbNTgiYWHlmxbKeKRBzcEWNP
R2kqXD8Gmq2VqiM+dKgiMZMguawnMvJHDFUlNDlX7NuQi/wtYJUe/vbOlTLjSsMb
+wKOmFpLng4x6orJintVFzhIP8Y0EKvrXsOZLA42AuXNgd0twSRKoklYNqHAim2T
v3l99Z7eYhRaXDH6XP8xfb90JGNMH5R8GGtIxS5MBC0RnuviPe634egZZeNu9h7F
T5S5oHc0I1xsrEVTQSFtf0Tlj8c8A6lFFNS7l76gNLHxTqTxWYLbEKSYHDoHYxa7
8v1eIYNyXsk/7sURgSVtPpYLK1OrUZy1buY6oBNxOSZAZa5e6sVz38n1BwXC0Nuk
eMwQKSg/DpKwVWQgFw6QrBbKi0mHibIGXlPt2xVvUNZ5yvt6EZNZGU5fs80OwJ3c
AH2FDmyzbVEGDRs2ntnQkIaP2Jq6QQEmMhwif7jfQ360EQbuWU8MEgim4mjCIuTR
2psPRtODtYs=
=rHKO
-----END PGP SIGNATURE-----