openSUSE Security Update : SDL_image (openSUSE-2019-2071)

high Nessus Plugin ID 128540
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for SDL_image fixes the following issues :

Update SDL_Image to new snapshot 1.2.12+hg695.

Security issues fixed :

- TALOS-2019-0821 CVE-2019-5052: exploitable integer overflow vulnerability when loading a PCX file (boo#1140421)

- TALOS-2019-0841 CVE-2019-5057: code execution vulnerability in the PCX image-rendering functionality of SDL2_image (boo#1143763)

- TALOS-2019-0842 CVE-2019-5058: heap overflow in XCF image rendering can lead to code execution (boo#1143764)

- TALOS-2019-0843 CVE-2019-5059: heap overflow in XPM image handling (boo#1143766)

- TALOS-2019-0844 CVE-2019-5060: integer overflow in the XPM image (boo#1143768)

- CVE-2019-7635: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c (boo#1124827)

- CVE-2019-13616: fix heap buffer overflow when reading a crafted bmp file (boo#1141844).

Solution

Update the affected SDL_image packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1124827

https://bugzilla.opensuse.org/show_bug.cgi?id=1140421

https://bugzilla.opensuse.org/show_bug.cgi?id=1141844

https://bugzilla.opensuse.org/show_bug.cgi?id=1143763

https://bugzilla.opensuse.org/show_bug.cgi?id=1143764

https://bugzilla.opensuse.org/show_bug.cgi?id=1143766

https://bugzilla.opensuse.org/show_bug.cgi?id=1143768

Plugin Details

Severity: High

ID: 128540

File Name: openSUSE-2019-2071.nasl

Version: 1.3

Type: local

Agent: unix

Published: 9/6/2019

Updated: 9/23/2020

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:SDL_image-debugsource, p-cpe:/a:novell:opensuse:libSDL_image-1_2-0, p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-32bit, p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-32bit-debuginfo, p-cpe:/a:novell:opensuse:libSDL_image-1_2-0-debuginfo, p-cpe:/a:novell:opensuse:libSDL_image-devel, p-cpe:/a:novell:opensuse:libSDL_image-devel-32bit, cpe:/o:novell:opensuse:15.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 9/5/2019

Vulnerability Publication Date: 2/8/2019

Reference Information

CVE: CVE-2019-13616, CVE-2019-5052, CVE-2019-5057, CVE-2019-5058, CVE-2019-5059, CVE-2019-5060, CVE-2019-7635