Discovered by Lilith Wyatt of Cisco Talos

Overview

Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve's award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found here.

TALOS-2018-0519 - Simple DirectMedia Layer SDL2_Image IMG_LoadPCX_RW Information Disclosure Vulnerability (CVE-2018-3837)

An exploitable vulnerability exists in the PCX image rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability.

TALOS-2018-0520 - Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle Information Disclosure Vulnerability (CVE-2018-3838)

Exploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability.

TALOS-2018-0521 - Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle bpp Code Execution Vulnerability (CVE-2018-3839)

Exploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be

released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 45017-45018, 45599-45600,45605-45606