Vulnerabilities > CVE-2017-2888 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 3 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4143-1.NASL description It was discovered that SDL 2.0 mishandled crafted image files resulting in an integer overflow. If a user were tricked into opening a malicious file, SDL 2.0 could be caused to crash or potentially run arbitrary code. (CVE-2017-2888) It was discovered that SDL 2.0 mishandled crafted image files. If a user were tricked into opening a malicious file, SDL 2.0 could be caused to crash or potentially run arbitrary code. (CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 129489 published 2019-10-01 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129489 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : SDL 2.0 vulnerabilities (USN-4143-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4143-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(129489); script_version("1.2"); script_cvs_date("Date: 2019/12/23"); script_cve_id("CVE-2017-2888", "CVE-2019-7635", "CVE-2019-7636", "CVE-2019-7637", "CVE-2019-7638"); script_xref(name:"USN", value:"4143-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : SDL 2.0 vulnerabilities (USN-4143-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that SDL 2.0 mishandled crafted image files resulting in an integer overflow. If a user were tricked into opening a malicious file, SDL 2.0 could be caused to crash or potentially run arbitrary code. (CVE-2017-2888) It was discovered that SDL 2.0 mishandled crafted image files. If a user were tricked into opening a malicious file, SDL 2.0 could be caused to crash or potentially run arbitrary code. (CVE-2019-7635, CVE-2019-7636, CVE-2019-7637, CVE-2019-7638). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4143-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libsdl2-2.0-0 package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsdl2-2.0-0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"libsdl2-2.0-0", pkgver:"2.0.4+dfsg1-2ubuntu2.16.04.2")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"libsdl2-2.0-0", pkgver:"2.0.8+dfsg1-1ubuntu1.18.04.4")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"libsdl2-2.0-0", pkgver:"2.0.9+dfsg1-1ubuntu1.19.04.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libsdl2-2.0-0"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1217.NASL description This update for SDL2 fixes the following issues : - CVE-2017-2888: An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. (bsc#1062784) last seen 2020-06-05 modified 2017-10-30 plugin id 104242 published 2017-10-30 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104242 title openSUSE Security Update : SDL2 (openSUSE-2017-1217) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-1217. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(104242); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2888"); script_name(english:"openSUSE Security Update : SDL2 (openSUSE-2017-1217)"); script_summary(english:"Check for the openSUSE-2017-1217 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for SDL2 fixes the following issues : - CVE-2017-2888: An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. (bsc#1062784)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1062784" ); script_set_attribute(attribute:"solution", value:"Update the affected SDL2 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:SDL2-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libSDL2-2_0-0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libSDL2-2_0-0-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libSDL2-2_0-0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libSDL2-2_0-0-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libSDL2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libSDL2-devel-32bit"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"SDL2-debugsource-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libSDL2-2_0-0-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libSDL2-2_0-0-debuginfo-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"libSDL2-devel-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libSDL2-2_0-0-32bit-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libSDL2-2_0-0-debuginfo-32bit-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libSDL2-devel-32bit-2.0.3-9.5.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"SDL2-debugsource-2.0.3-14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libSDL2-2_0-0-2.0.3-14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libSDL2-2_0-0-debuginfo-2.0.3-14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libSDL2-devel-2.0.3-14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libSDL2-2_0-0-32bit-2.0.3-14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libSDL2-2_0-0-debuginfo-32bit-2.0.3-14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libSDL2-devel-32bit-2.0.3-14.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "SDL2-debugsource / libSDL2-2_0-0 / libSDL2-2_0-0-32bit / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-5934ECF841.NASL description Fix CVE-2017-2888 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-10-27 plugin id 104195 published 2017-10-27 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104195 title Fedora 25 : SDL2 (2017-5934ecf841) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-5934ecf841. # include("compat.inc"); if (description) { script_id(104195); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2888"); script_xref(name:"FEDORA", value:"2017-5934ecf841"); script_name(english:"Fedora 25 : SDL2 (2017-5934ecf841)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fix CVE-2017-2888 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5934ecf841" ); script_set_attribute(attribute:"solution", value:"Update the affected SDL2 package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:SDL2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"SDL2-2.0.5-8.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "SDL2"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-5B132E3803.NASL description - Added audio stream conversion functions : - `SDL_NewAudioStream()` - `SDL_AudioStreamPut()` - `SDL_AudioStreamGet()` - `SDL_AudioStreamAvailable()` - `SDL_AudioStreamFlush()` - `SDL_AudioStreamClear()` - `SDL_FreeAudioStream()` - Added functions to query and set the SDL memory allocation functions : - `SDL_GetMemoryFunctions()` - `SDL_SetMemoryFunctions()` - `SDL_GetNumAllocations()` - Added locking functions for multi-threaded access to the joystick and game controller APIs : - `SDL_LockJoysticks()` - `SDL_UnlockJoysticks()` - The following functions are now thread-safe : - `SDL_SetEventFilter()` - `SDL_GetEventFilter()` - `SDL_AddEventWatch()` - `SDL_DelEventWatch()` ---- Fix CVE-2017-2888 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-11-01 plugin id 104309 published 2017-11-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104309 title Fedora 26 : SDL2 (2017-5b132e3803) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-5b132e3803. # include("compat.inc"); if (description) { script_id(104309); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2888"); script_xref(name:"FEDORA", value:"2017-5b132e3803"); script_name(english:"Fedora 26 : SDL2 (2017-5b132e3803)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Added audio stream conversion functions : - `SDL_NewAudioStream()` - `SDL_AudioStreamPut()` - `SDL_AudioStreamGet()` - `SDL_AudioStreamAvailable()` - `SDL_AudioStreamFlush()` - `SDL_AudioStreamClear()` - `SDL_FreeAudioStream()` - Added functions to query and set the SDL memory allocation functions : - `SDL_GetMemoryFunctions()` - `SDL_SetMemoryFunctions()` - `SDL_GetNumAllocations()` - Added locking functions for multi-threaded access to the joystick and game controller APIs : - `SDL_LockJoysticks()` - `SDL_UnlockJoysticks()` - The following functions are now thread-safe : - `SDL_SetEventFilter()` - `SDL_GetEventFilter()` - `SDL_AddEventWatch()` - `SDL_DelEventWatch()` ---- Fix CVE-2017-2888 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5b132e3803" ); script_set_attribute(attribute:"solution", value:"Update the affected SDL2 package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:SDL2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"SDL2-2.0.7-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "SDL2"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-CE403F01CE.NASL description Fix CVE-2017-2888 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-01-15 plugin id 105979 published 2018-01-15 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105979 title Fedora 27 : SDL2 (2017-ce403f01ce) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-ce403f01ce. # include("compat.inc"); if (description) { script_id(105979); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2888"); script_xref(name:"FEDORA", value:"2017-ce403f01ce"); script_name(english:"Fedora 27 : SDL2 (2017-ce403f01ce)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fix CVE-2017-2888 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ce403f01ce" ); script_set_attribute(attribute:"solution", value:"Update the affected SDL2 package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:SDL2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC27", reference:"SDL2-2.0.6-4.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "SDL2"); }
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. ### Tested Versions Simple DirectMedia Layer 2.0.5 ### Product URLs https://www.libsdl.org/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-190: Integer Overflow or Wraparound ### Details SDL is a cross-platform library that is designed to provide low-level access to various hardware using OpenGL and Direct3D. The various users of the library include games, video playback software (including VLC), and emulators. An integer overflow vulnerability exits when creating new RGB surfaces via the call to `CreateRGBSurface`. The function is defined at line 114 in src\video\SDL_surface.c: ``` 113 SDL_Surface * 114 SDL_CreateRGBSurface(Uint32 flags, 115 int width, int height, int depth, 116 Uint32 Rmask, Uint32 Gmask, Uint32 Bmask, Uint32 Amask) ``` This function will subsequently call the function: SDL_CreateRGBSurfaceWithFormat(): ``` 127 SDL_CreateRGBSurfaceWithFormat(flags, width, height, depth, format); ``` This function will take the `width` and `height` arguments as well as the `bytes\_per\_pixel`, passed in by the file format, and use them all to allocate memory: ``` 56 surface->w = width; 57 surface->h = height; 58 surface->pitch = SDL_CalculatePitch(surface); ``` It will calculate the pitch at line 58, which is essentially a multiplication of the `width` with the `bytes_per_pixel` with alignment. Then at line 83, it uses the pitch and the height to calculate the amount of memory that should be allocated: ``` 82 if (surface->w && surface->h) { 83 surface->pixels = SDL_malloc(surface->h * surface->pitch); ``` Given that there are no checks to make sure the multiplications don't overflow, this will result in an integer overflow where too little memory might be allocated, resulting in a heap-based buffer overflow when attempting to write to this memory. The `CreateRGBSurface` function is used in many image formats in SDL_Image and can thus result in potential buffer overflows in many file formats. As an example here we provide the use of the function in the XCF format. In SDLimage in IMGxcf.c the height and width will be read directly from the file in the function readxcfheader, defined at line 296: ``` 302 h->width = SDL_ReadBE32 (src); 303 h->height = SDL_ReadBE32 (src); ``` This function will be used in the function IMGLoadXCFRW defined at line 692: ``` 714 head = read_xcf_header (src); ``` Next it will allocate a surface for the various layers that may exist in the file: ``` 747 lays = SDL_CreateRGBSurface(SDL_SWSURFACE, head->width, head->height, 32, 748 0x00FF0000,0x0000FF00,0x000000FF,0xFF000000); ``` And will then for each layer in the file, read in the layer and save it to the surface: ``` 756 for (i = offsets; i > 0; i--) { 757 SDL_Rect rs, rd; 758 SDL_RWseek (src, head->layer_file_offsets [i-1], RW_SEEK_SET); 760 layer = read_xcf_layer (src); 761 do_layer_surface (lays, src, head, layer, load_tile); ``` The function `do_layer_surface` will subsequently write to the memory allocated in the `pixels` variable in loops: ``` 590 for (y=ty; y < ty+oy; y++) { 591 row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); 592 switch (hierarchy->bpp) { 593 case 4: 594 for (x=tx; x < tx+ox; x++) 595 *row++ = Swap32 (*p++); 596 break; ``` If an attacker has selected the height and width in such a way that the multiplication causes an integer overflow, then too little memory will have been allocated and the code at line 595 will result in an out of bounds write, potentially resulting in code execution. ### Timeline * 2017-10-06 - Vendor Disclosure * 2017-10-10 - Public Release |
| id | SSV:96795 |
| last seen | 2017-11-19 |
| modified | 2017-11-06 |
| published | 2017-11-06 |
| reporter | Root |
| title | Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability(CVE-2017-2888) |
Talos
| id | TALOS-2017-0395 |
| last seen | 2019-05-29 |
| published | 2017-10-10 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395 |
| title | Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability |