Bug 1143766 - (CVE-2019-5059) VUL-0: CVE-2019-5059: SDL2_image: heap overflow in XPM image
(CVE-2019-5059)
VUL-0: CVE-2019-5059: SDL2_image: heap overflow in XPM image
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/238550/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-01 07:46 UTC by Alexandros Toptsoglou
Modified: 2020-01-16 13:49 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-01 07:46:44 UTC
CVE-2019-5059

An exploitable code execution vulnerability exists in the XPM image rendering
functionality of SDL2_image 2.0.4. A specially crafted XPM image can cause an
integer overflow, allocating too small of a buffer. This buffer can then be
written out of bounds resulting in a heap overflow, ultimately ending in code
execution. An attacker can display a specially crafted image to trigger this
vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5059
http://www.cvedetails.com/cve/CVE-2019-5059/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5059
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0843
Comment 1 Swamp Workflow Management 2019-08-23 11:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (1143766) was mentioned in
https://build.opensuse.org/request/show/725541 15.0 / SDL2_image
https://build.opensuse.org/request/show/725542 15.1 / SDL2_image
Comment 2 Swamp Workflow Management 2019-08-23 14:20:21 UTC
This is an autogenerated message for OBS integration:
This bug (1143766) was mentioned in
https://build.opensuse.org/request/show/725587 15.0 / SDL_image
https://build.opensuse.org/request/show/725588 15.1 / SDL_image
Comment 3 Swamp Workflow Management 2019-08-23 15:50:35 UTC
This is an autogenerated message for OBS integration:
This bug (1143766) was mentioned in
https://build.opensuse.org/request/show/725636 Factory / SDL2_image
https://build.opensuse.org/request/show/725637 15.0 / SDL2_image
https://build.opensuse.org/request/show/725638 15.1 / SDL2_image
Comment 4 Swamp Workflow Management 2019-09-05 13:14:15 UTC
openSUSE-SU-2019:2070-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1135787,1135789,1135796,1135806,1136101,1140419,1140421,1141844,1143763,1143764,1143766,1143768
CVE References: CVE-2019-12217,CVE-2019-12218,CVE-2019-12220,CVE-2019-12221,CVE-2019-12222,CVE-2019-13616,CVE-2019-5051,CVE-2019-5052,CVE-2019-5057,CVE-2019-5058,CVE-2019-5059,CVE-2019-5060
Sources used:
openSUSE Leap 15.1 (src):    SDL2_image-2.0.5-lp151.2.5.1
openSUSE Leap 15.0 (src):    SDL2_image-2.0.5-lp150.9.1
Comment 5 Swamp Workflow Management 2019-09-05 13:19:25 UTC
openSUSE-SU-2019:2071-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124827,1140421,1141844,1143763,1143764,1143766,1143768
CVE References: CVE-2019-13616,CVE-2019-5052,CVE-2019-5057,CVE-2019-5058,CVE-2019-5059,CVE-2019-5060,CVE-2019-7635
Sources used:
openSUSE Leap 15.1 (src):    SDL_image-1.2.12+hg695-lp151.3.3.1
openSUSE Leap 15.0 (src):    SDL_image-1.2.12+hg695-lp150.2.3.1
Comment 6 Swamp Workflow Management 2019-09-10 19:13:28 UTC
openSUSE-SU-2019:2108-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1135787,1135789,1135796,1135806,1136101,1140419,1140421,1141844,1143763,1143764,1143766,1143768
CVE References: CVE-2019-12217,CVE-2019-12218,CVE-2019-12220,CVE-2019-12221,CVE-2019-12222,CVE-2019-13616,CVE-2019-5051,CVE-2019-5052,CVE-2019-5057,CVE-2019-5058,CVE-2019-5059,CVE-2019-5060
Sources used:
openSUSE Backports SLE-15-SP1 (src):    SDL2_image-2.0.5-bp151.4.3.1
openSUSE Backports SLE-15 (src):    SDL2_image-2.0.5-bp150.3.6.1
Comment 7 Swamp Workflow Management 2019-09-10 19:15:47 UTC
openSUSE-SU-2019:2109-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124827,1140421,1141844,1143763,1143764,1143766,1143768
CVE References: CVE-2019-13616,CVE-2019-5052,CVE-2019-5057,CVE-2019-5058,CVE-2019-5059,CVE-2019-5060,CVE-2019-7635
Sources used:
openSUSE Backports SLE-15-SP1 (src):    SDL_image-1.2.12+hg695-bp151.4.3.1
openSUSE Backports SLE-15 (src):    SDL_image-1.2.12+hg695-bp150.3.3.1
Comment 8 Alexandros Toptsoglou 2020-01-16 13:49:15 UTC
all done. Closing