openSUSE Security Update: Security update for SDL2 ______________________________________________________________________________

Announcement ID: openSUSE-SU-2017:2893-1 Rating: moderate References: #1062784 Cross-References: CVE-2017-2888 Affected Products: SUSE Package Hub for SUSE Linux Enterprise 12 ______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for SDL2 fixes the following issues:

- CVE-2017-2888: An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. (bsc#1062784)

Patch Instructions:

To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2017-1217=1

To bring your system up-to-date, use "zypper patch".

Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

SDL2-debugsource-2.0.5-7.1 libSDL2-2_0-0-2.0.5-7.1 libSDL2-2_0-0-debuginfo-2.0.5-7.1 libSDL2-devel-2.0.5-7.1

References:

https://www.suse.com/security/cve/CVE-2017-2888.html https://bugzilla.suse.com/1062784