Out-of-bounds Write Affecting sdl2_ttf package, versions <2.20.0-r0
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.12% (46th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALPINE317-SDL2TTF-3143938
- published 23 Nov 2022
- disclosed 4 May 2022
Introduced: 4 May 2022
CVE-2022-27470 Open this link in a new tabHow to fix?
Upgrade Alpine:3.17 sdl2_ttf to version 2.20.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream sdl2_ttf package and not the sdl2_ttf package as distributed by Alpine.
See How to fix? for Alpine:3.17 relevant fixed versions and status.
SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). This vulnerability is triggered via a crafted TTF file.
References
- https://github.com/libsdl-org/SDL_ttf/commit/db1b41ab8bde6723c24b866e466cad78c2fa0448
- https://github.com/libsdl-org/SDL_ttf/issues/187
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAGMQMRQDTZFQW64JEW3O6HY3JYLAAHT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPYTEBBNHCDGPVFACC5RC5K2FZUCYTPZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RXI3MDPR24W5557G34YHWOP2MOK6BTGB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EAGMQMRQDTZFQW64JEW3O6HY3JYLAAHT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RXI3MDPR24W5557G34YHWOP2MOK6BTGB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XPYTEBBNHCDGPVFACC5RC5K2FZUCYTPZ/