Researchers at Cisco’s Talos security intelligence and research group have discovered two high severity remote code execution vulnerabilities in Simple DirectMedia Layer (SDL), a popular cross-platform development library.
SDL provides low level access to audio, mouse, keyboard, joystick and graphics hardware, making it ideal for developing games, emulators and video playback software. The library has been used for the development of hundreds of games, including ones made by Valve, and the VLC media player.
Cisco Talos researcher Yves Younan discovered that SDL is affected by memory corruption vulnerabilities that can be exploited remotely to execute arbitrary code on the host by using specially crafted files that the library would process.
The attack scenarios described by Talos in its advisories involve XCF files designed to trigger the vulnerabilities. XCF is the native image format of the popular image-editing tool GIMP.
One of the flaws is an integer overflow (CVE-2017-2888) that can be triggered when creating a new RGB surface via a call to the “CreateRGBSurface” function.
“A sufficiently large width and height value passed to this function could cause a multiplication operation to overflow, thus resulting in too little memory being allocated. Subsequent writes would then be out-of-bounds,” Cisco said in its advisory.
The second vulnerability is a buffer overflow (CVE-2017-2887) that exists in the XCF property handling functionality of the SDL_image image file loading library.
“This vulnerability manifests due to insufficient validation of data read from a file and subsequent use of the data. In this case, the `id` and `length` attributes read from an XCF image file are used without validation, potentially resulting in a stack-based buffer overflow,” Cisco said.
The vulnerabilities affect SDL 2.0.5 and SDL_image 2.0.1. Cisco said the flaws were patched with the release of SDL 2.0.6, but the release notes for this version don’t mention any security fixes.
Related: Code Execution Vulnerabilities Patched in FreeRDP
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
- Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency
- US Charges Two Men Over Use of Hacked Law Enforcement Database for Doxing
Latest News
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
