Overview

Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low-level access to audio, keyboard, mouse, joystick and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games, including Valve's award-winning catalog, and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. Simple DirectMedia Layer has released a new version of sdl image, 2.0.3 to address this issue, which can be downloaded here. Talos recommends installing this update as quickly as possible on affected systems.

Details

Discovered by Lilith Wyatt of Cisco Talos

TALOS-2017-0488/CVE-2017-12122 - Simple DirectMedia Layer SDL2_Image IMG_LoadLBM_RW Code Execution Vulnerability
 An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a heap overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

TALOS-2017-0489/CVE-2017-14440 - Simple DirectMedia Layer SDL2_image ILBM CMAP Parsing Code Execution Vulnerability

An exploitable code execution vulnerability exists in the ILBM image rendering functionality of SDL2_image-2.0.2. A specially crafted ILBM image can cause a stack overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

TALOS-2017-0490/CVE-2017-14441 - Simple DirectMedia Layer SDL2_image ICO Pitch Handling Code Execution Vulnerability

An exploitable code execution vulnerability exists in the ICO image rendering functionality of SDL2_image-2.0.2. A specially crafted ICO image can cause an integer overflow, cascading to a heap overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

TALOS-2017-0491/CVE-2017-14442 - Simple DirectMedia Layer SDL2_image Image Palette Population Code Execution Vulnerability

An exploitable code execution vulnerability exists in the BMP image rendering functionality of SDL2_image-2.0.2. A specially crafted BMP image can cause a stack overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

TALOS-2017-0497/CVE-2017-14448 - Simple DirectMedia Layer SDL2_image load_xcf_tile_rle Decompression Code Execution Vulnerability

An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

TALOS-2017-0498/CVE-2017-14449 - Simple DirectMedia Layer SDL2_image do_layer_surface Double-Free Vulnerability

An exploitable code Double-Free vulnerability exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause a Double-Free situation to occur. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

TALOS-2017-0499/CVE-2017-14450 - Simple DirectMedia Layer SDL2_Image LWZ Decompression Buffer Overflow Vulnerability

An exploitable code execution vulnerability exists in the GIF image parsing functionality of SDL2_image-2.0.2. A specially crafted GIF image can lead to a buffer overflow on a global section. An attacker who convinces the user to view a specially crafted image could exploit this vulnerability.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

45019-45022, 45025-45026, 45033-45034, 45047-45048