{"containers": {"cna": {"affected": [{"product": "Simple Direct Media", "vendor": "Talos", "versions": [{"status": "affected", "version": "Simple DirectMedia Layer 2.0.5"}]}], "datePublic": "2017-10-10T00:00:00", "descriptions": [{"lang": "en", "value": "An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Remote code execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T18:24:14", "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "shortName": "talos"}, "references": [{"name": "101215", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101215"}, {"name": "USN-4143-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4143-1/"}, {"name": "[debian-lts-announce] 20211031 [SECURITY] [DLA 2803-1] libsdl2 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00031.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "talos-cna@cisco.com", "DATE_PUBLIC": "2017-10-10T00:00:00", "ID": "CVE-2017-2888", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Simple Direct Media", "version": {"version_data": [{"version_value": "Simple DirectMedia Layer 2.0.5"}]}}]}, "vendor_name": "Talos"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability."}]}, "impact": {"cvss": {"baseScore": 8.8, "baseSeverity": "High", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote code execution"}]}]}, "references": {"reference_data": [{"name": "101215", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101215"}, {"name": "USN-4143-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4143-1/"}, {"name": "[debian-lts-announce] 20211031 [SECURITY] [DLA 2803-1] libsdl2 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00031.html"}, {"name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395", "refsource": "MISC", "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:09:17.782Z"}, "title": "CVE Program Container", "references": [{"name": "101215", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101215"}, {"name": "USN-4143-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4143-1/"}, {"name": "[debian-lts-announce] 20211031 [SECURITY] [DLA 2803-1] libsdl2 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00031.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395"}]}]}, "cveMetadata": {"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b", "assignerShortName": "talos", "cveId": "CVE-2017-2888", "datePublished": "2017-10-11T18:00:00Z", "dateReserved": "2016-12-01T00:00:00", "dateUpdated": "2024-09-16T20:17:03.901Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libsdl:simple_directmedia_layer:2.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "44FDC19F-F567-4730-9582-7623C64EE75D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability."}, {"lang": "es", "value": "Existe una vulnerabilidad explotable de desbordamiento de enteros cuando se crea una nueva superficie RGB en SDL 2.0.5. Un archivo especialmente manipulado puede causar un desbordamiento de enteros en un espacio asignado demasiado peque\u00f1o, lo que puede provocar un desbordamiento de b\u00fafer y una posible ejecuci\u00f3n de c\u00f3digo. Un atacante puede enviar un archivo de imagen especialmente manipulado para desencadenar esta vulnerabilidad."}], "id": "CVE-2017-2888", "lastModified": "2022-06-07T17:39:29.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "talos-cna@cisco.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-11T18:29:05.083", "references": [{"source": "talos-cna@cisco.com", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/101215"}, {"source": "talos-cna@cisco.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/10/msg00031.html"}, {"source": "talos-cna@cisco.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4143-1/"}, {"source": "talos-cna@cisco.com", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395"}], "sourceIdentifier": "talos-cna@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "SDL: Integer overflow while creating a new RGB surface", "id": "1500623", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1500623"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability."], "name": "CVE-2017-2888", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "SDL", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "SDL", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "SDL", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2017-10-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-2888\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-2888\nhttps://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395"], "statement": "This issue did not affect the versions of SDL as shipped with Red Hat Enterprise Linux 5, 6, and 7.", "threat_severity": "Important"}