Marcin “Icewall” Noga of Cisco Talos discovered these vulnerabilities.

Simple DirectMedia Layer contains two vulnerabilities that could an attacker to remotely execute code on the victim’s machine. Both bugs are present in the SDL2_image library, which is used for loading images in different formats. There are vulnerabilities in the function responsible for loading PCX files. A specially crafted PCX file can lead to a heap buffer overflow and remote code execution in both cases.

In accordance with our coordinated disclosure policy, Cisco Talos worked with SDL to ensure that these issues are resolved and that an update is available for affected customers. (UPDATE: SDL released an additional update that fixes four additional vulnerabilities.)

Vulnerability details

Simple DirectMedia Layer SDL2_image IMG_LoadPCX_RW code execution vulnerability (TALOS-2019-0820/CVE-2019-5051)

An exploitable heap-based buffer overflow vulnerability exists when loading a PCX file in SDL2_image, version 2.0.4. A missing error handler can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Simple DirectMedia Layer SDL2_image IMG_LoadPCX_RW signed comparison code execution vulnerability (TALOS-2019-0821/CVE-2019-5052)

An exploitable integer overflow vulnerability exists when loading a PCX file in SDL2_image 2.0.4. A specially crafted file can cause an integer overflow, resulting in too little memory being allocated, which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

SDL_image XPM image colorhash parsing code execution vulnerability (TALOS-2019-0844/CVE-2019-5060)

An exploitable code execution vulnerability exists in the XPM image rendering function of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow in the colorhash function, allocating too small of a buffer. This buffer can then be written out of bounds, resulting in a heap overflow, ultimately ending in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

SDL_image XCF image code execution vulnerability (TALOS-2019-0842/CVE-2019-5058)

An exploitable code execution vulnerability exists in the XCF image rendering functionality of SDL2_image 2.0.4. A specially crafted XCF image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

SDL_image XPM image color code code execution vulnerability (TALOS-2019-0843/CVE-2019-5059)

An exploitable code execution vulnerability exists in the XPM image rendering functionality of SDL2_image 2.0.4. A specially crafted XPM image can cause an integer overflow,  allocating too small of a buffer. This buffer can then be written out of bounds resulting in a heap overflow, ultimately ending in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

SDL_image PCX image code execution vulnerability (TALOS-2019-0841/CVE-2019-5057)

An exploitable code execution vulnerability exists in the PCX image-rendering functionality of SDL2_image 2.0.4. A specially crafted PCX image can cause a heap overflow, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Simple DirectMedia Layer SDL2_image, version 2.0.4 is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 46143 - 46146, 50035, 50036, 50265, 50266, 50273, 50274, 50269, 50270