commit SDL2_image for openSUSE:Factory

Wed, 28 Aug 2019 07:02:48 -0700 

Hello community,

here is the log from the commit of package SDL2_image for openSUSE:Factory 
checked in at 2019-08-28 16:02:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/SDL2_image (Old)
 and      /work/SRC/openSUSE:Factory/.SDL2_image.new.7948 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "SDL2_image"

Wed Aug 28 16:02:19 2019 rev:11 rq:725636 version:2.0.5

Changes:
--------
--- /work/SRC/openSUSE:Factory/SDL2_image/SDL2_image.changes    2018-11-09 
07:54:36.583698060 +0100
+++ /work/SRC/openSUSE:Factory/.SDL2_image.new.7948/SDL2_image.changes  
2019-08-28 16:02:23.462792303 +0200
@@ -1,0 +2,23 @@
+Fri Aug 23 14:04:59 UTC 2019 - Michael Gorse <[email protected]>
+
+- Add CVE-2019-13616.patch: fix heap buffer overflow when reading
+  a crafted bmp file (boo#1141844 CVE-2019-13616).
+
+-------------------------------------------------------------------
+Fri Aug 23 09:53:45 UTC 2019 - Jan Engelhardt <[email protected]>
+
+- Update to new upstream release 2.0.5
+  * Fixed TALOS-2019-0820 CVE-2019-5051
+  * Fixed TALOS-2019-0821 CVE-2019-5052
+  * Fixed TALOS-2019-0841 CVE-2019-5057 boo#1143763
+  * Fixed TALOS-2019-0842 CVE-2019-5058 boo#1143764
+  * Fixed TALOS-2019-0843 CVE-2019-5059 boo#1143766
+  * Fixed TALOS-2019-0844 CVE-2019-5060 boo#1143768
+- Not mentioned by upstream, but issues seemingly further fixed:
+  * Fixed CVE-2019-12218 boo#1135789
+  * Fixed CVE-2019-12217 boo#1135787
+  * Fixed CVE-2019-12220 boo#1135806
+  * Fixed CVE-2019-12221 boo#1135796
+  * Fixed CVE-2019-12222 boo#1136101
+
+-------------------------------------------------------------------

Old:
----
  SDL2_image-2.0.4.tar.gz

New:
----
  CVE-2019-13616.patch
  SDL2_image-2.0.5.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ SDL2_image.spec ++++++
--- /var/tmp/diff_new_pack.XhkHxs/_old  2019-08-28 16:02:25.110792055 +0200
+++ /var/tmp/diff_new_pack.XhkHxs/_new  2019-08-28 16:02:25.110792055 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package SDL2_image
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,16 +18,17 @@
 
 Name:           SDL2_image
 %define lname  libSDL2_image-2_0-0
-Version:        2.0.4
+Version:        2.0.5
 Release:        0
-Summary:        SDL2 image loading library
+Summary:        Simple DirectMedia Layer 2 image loading library
 License:        Zlib
 Group:          Development/Libraries/X11
-Url:            http://libsdl.org/projects/SDL_image/
+URL:            https://libsdl.org/projects/SDL_image/
 
 #Hg-Clone:     http://hg.libsdl.org/SDL_image/
-Source:         
http://libsdl.org/projects/SDL_image/release/%name-%version.tar.gz
+Source:         
https://libsdl.org/projects/SDL_image/release/%name-%version.tar.gz
 Source2:        baselibs.conf
+Patch1:         CVE-2019-13616.patch
 BuildRequires:  dos2unix
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
@@ -35,7 +36,6 @@
 BuildRequires:  pkgconfig(libpng)
 BuildRequires:  pkgconfig(libwebp)
 BuildRequires:  pkgconfig(sdl2) >= 2.0.8
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
 This is a simple library to load images of various formats as SDL
@@ -43,7 +43,7 @@
 TIFF and WEBP formats.
 
 %package -n %lname
-Summary:        Simple DirectMedia Layer 2 – Image Loading Library
+Summary:        Simple DirectMedia Layer 2 image loading library
 Group:          System/Libraries
 Provides:       SDL2_image = %version-%release
 
@@ -64,7 +64,7 @@
 TIFF and WEBP formats.
 
 %prep
-%setup -q
+%autosetup -p1
 dos2unix *.txt
 rm -rf external
 
@@ -74,19 +74,18 @@
 make %{?_smp_mflags}
 
 %install
-make install DESTDIR="%buildroot"
+%make_install
 rm -f "%buildroot/%_libdir"/*.la
 
 %post   -n %lname -p /sbin/ldconfig
 %postun -n %lname -p /sbin/ldconfig
 
 %files -n %lname
-%defattr(-,root,root)
-%doc CHANGES.txt COPYING.txt README.txt
+%license COPYING.txt
 %_libdir/libSDL2_image-2*.so.*
 
 %files -n libSDL2_image-devel
-%defattr(-,root,root)
+%doc CHANGES.txt README.txt
 %_includedir/SDL2/
 %_libdir/libSDL2_image.so
 %_libdir/pkgconfig/SDL2_image.pc

++++++ CVE-2019-13616.patch ++++++
diff -r f1baffa48926 -r ba45f00879ba IMG_bmp.c
--- a/IMG_bmp.c Tue Jul 30 10:16:02 2019 -0700
+++ b/IMG_bmp.c Tue Jul 30 11:00:12 2019 -0700
@@ -351,6 +351,11 @@
             SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR);
         }
     }
+    if (biWidth <= 0 || biHeight == 0) {
+        IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, 
biHeight);
+        was_error = SDL_TRUE;
+        goto done;
+    }
     if (biHeight < 0) {
         topDown = SDL_TRUE;
         biHeight = -biHeight;
++++++ SDL2_image-2.0.4.tar.gz -> SDL2_image-2.0.5.tar.gz ++++++
/work/SRC/openSUSE:Factory/SDL2_image/SDL2_image-2.0.4.tar.gz 
/work/SRC/openSUSE:Factory/.SDL2_image.new.7948/SDL2_image-2.0.5.tar.gz differ: 
char 5, line 1

Reply via email to