Re: Security update: sdl2-image 2.0.4
On Sat, Jan 19 2019, Thomas Frohwein wrote: > On Sat, Jan 19, 2019 at 10:29:53AM +0100, Jeremie Courreges-Anglas wrote: > [...] >> - the Makefile diff doesn't apply, it seems like it has been produced >> before the latest commit to sdl2-image/Makefile. > > My bad, the dir in mystuff was from an outdated checkout. > >> - no change in public headers and no exported symbol added/removed, says >> check_sym, so the shared lib bump isn't needed > [...] >> - libsamplerate is an indirect dependency brought in by libSDL2.la. It >> shouldn't be listed in LIB_DEPENDS. >> >> Not sure how useful the remaining LIB_DEPENDS change below is, but you >> won't be able to push it to -stable since 6.4 only has sdl2-2.0.8. > > I added that because it released with sdl2-2.0.9 and didn't account for > how that would prevent working with -stable. I can't find anything on a > minimum sdl2 version for sdl2-images-2.0.4, so leaving it as is for now. > > New diff taking all of these points into account here below. ok? Yup, ok jca@ (also for -stable) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: Security update: sdl2-image 2.0.4
On Sat, Jan 19, 2019 at 10:29:53AM +0100, Jeremie Courreges-Anglas wrote: [...] > - the Makefile diff doesn't apply, it seems like it has been produced > before the latest commit to sdl2-image/Makefile. My bad, the dir in mystuff was from an outdated checkout. > - no change in public headers and no exported symbol added/removed, says > check_sym, so the shared lib bump isn't needed [...] > - libsamplerate is an indirect dependency brought in by libSDL2.la. It > shouldn't be listed in LIB_DEPENDS. > > Not sure how useful the remaining LIB_DEPENDS change below is, but you > won't be able to push it to -stable since 6.4 only has sdl2-2.0.8. I added that because it released with sdl2-2.0.9 and didn't account for how that would prevent working with -stable. I can't find anything on a minimum sdl2 version for sdl2-images-2.0.4, so leaving it as is for now. New diff taking all of these points into account here below. ok? Index: Makefile === RCS file: /cvs/ports/devel/sdl2-image/Makefile,v retrieving revision 1.10 diff -u -p -r1.10 Makefile --- Makefile6 Jan 2019 21:26:02 - 1.10 +++ Makefile19 Jan 2019 19:08:05 - @@ -1,13 +1,12 @@ # $OpenBSD: Makefile,v 1.10 2019/01/06 21:26:02 thfr Exp $ -V =2.0.3 +V =2.0.4 COMMENT = SDL2 image library DISTNAME = SDL2_image-${V} PKGNAME = sdl2-image-${V} -REVISION = 0 CATEGORIES = devel graphics -SHARED_LIBS += SDL2_image 0.1 # 0.3 +SHARED_LIBS += SDL2_image 0.1 # 0.4 HOMEPAGE = https://www.libsdl.org/projects/SDL_image/ @@ -18,7 +17,7 @@ PERMIT_PACKAGE_CDROM =Yes MASTER_SITES = https://www.libsdl.org/projects/SDL_image/release/ -WANTLIB += SDL2 jpeg m png pthread sndio tiff usbhid webp z samplerate +WANTLIB += SDL2 jpeg m png16 pthread sndio tiff usbhid webp z samplerate LIB_DEPENDS = devel/sdl2>=2.0.8 \ graphics/jpeg \ Index: distinfo === RCS file: /cvs/ports/devel/sdl2-image/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo11 Mar 2018 22:42:00 - 1.3 +++ distinfo19 Jan 2019 19:08:05 - @@ -1,2 +1,2 @@ -SHA256 (SDL2_image-2.0.3.tar.gz) = NRDCXac1/82M47ZQcxUP9Pf5STuGboW4NzgIO1VtI2g= -SIZE (SDL2_image-2.0.3.tar.gz) = 8685512 +SHA256 (SDL2_image-2.0.4.tar.gz) = 507EnCQC6yQvv6FvL0OhlYKnTC6r+/uHPwDUJQA4zqw= +SIZE (SDL2_image-2.0.4.tar.gz) = 11682695 Index: patches/patch-Makefile_in === RCS file: /cvs/ports/devel/sdl2-image/patches/patch-Makefile_in,v retrieving revision 1.2 diff -u -p -r1.2 patch-Makefile_in --- patches/patch-Makefile_in 11 Mar 2018 22:42:00 - 1.2 +++ patches/patch-Makefile_in 19 Jan 2019 19:08:05 - @@ -2,7 +2,7 @@ $OpenBSD: patch-Makefile_in,v 1.2 2018/0 Index: Makefile.in --- Makefile.in.orig +++ Makefile.in -@@ -442,12 +442,10 @@ EXTRA_DIST = \ +@@ -463,12 +463,10 @@ EXTRA_DIST = \ @USE_VERSION_RC_FALSE@libSDL2_image_la_LDFLAGS = \ @USE_VERSION_RC_FALSE@-no-undefined \
Re: Security update: sdl2-image 2.0.4
On Fri, Jan 18 2019, Thomas Frohwein wrote: > Hi, > > Please find below the security update to sdl2-image 2.0.4. It fixes the > TALOS-2018-0645 code execution vulnerability where a specially crafted > XCF image can cause a heap overflow [1]. Official release notes [2] are > short, as is the commit history [3]. The latter also mentions an update > to the libwebp version. > > port-lib-depends-check also revealed that this now links libpng16 > instead of libpng. > > Brief testing done with most of the sdl2-image consumers. No issue > observed with any of them except for supertux and that doesn't seem > due to sdl2-image: > > With supertux I get the following error on start: > > [FATAL] > /usr/obj/ports/supertux-0.5.1/SuperTux-v0.5.1-Source/src/supertux/main.cpp:510 > Unexpected exception: Couldn't open > 'images/engine/icons/supertux-256x256.png': not found > > This also occurs with sdl2-image-2.0.3p0. This file exists in > /usr/local/share/supertux2/images/engine/icons/supertux-256x256.png. > Running supertux2 from /usr/local/share/supertux2/ doesn't fix it. With > this being the only noticeable issue, I highly doubt that sdl2-image is > the problem. CC'd maintainer. > > I'm planning to add a CVE entry to quirks after this is committed if > that's okay. > > ok? - the Makefile diff doesn't apply, it seems like it has been produced before the latest commit to sdl2-image/Makefile. - no change in public headers and no exported symbol added/removed, says check_sym, so the shared lib bump isn't needed /usr/local/lib/libSDL2_image.so.0.1 --> usr/local/lib/libSDL2_image.so.0.1 No dynamic export changes External reference changes: removed: memcpy - libsamplerate is an indirect dependency brought in by libSDL2.la. It shouldn't be listed in LIB_DEPENDS. Not sure how useful the remaining LIB_DEPENDS change below is, but you won't be able to push it to -stable since 6.4 only has sdl2-2.0.8. Index: Makefile === RCS file: /cvs/ports/devel/sdl2-image/Makefile,v retrieving revision 1.10 diff -u -p -r1.10 Makefile --- Makefile6 Jan 2019 21:26:02 - 1.10 +++ Makefile19 Jan 2019 09:13:54 - @@ -1,10 +1,9 @@ # $OpenBSD: Makefile,v 1.10 2019/01/06 21:26:02 thfr Exp $ -V =2.0.3 +V =2.0.4 COMMENT = SDL2 image library DISTNAME = SDL2_image-${V} PKGNAME = sdl2-image-${V} -REVISION = 0 CATEGORIES = devel graphics SHARED_LIBS += SDL2_image 0.1 # 0.3 @@ -18,9 +17,9 @@ PERMIT_PACKAGE_CDROM =Yes MASTER_SITES = https://www.libsdl.org/projects/SDL_image/release/ -WANTLIB += SDL2 jpeg m png pthread sndio tiff usbhid webp z samplerate +WANTLIB += SDL2 jpeg m png16 pthread sndio tiff usbhid webp z samplerate -LIB_DEPENDS = devel/sdl2>=2.0.8 \ +LIB_DEPENDS = devel/sdl2>=2.0.9 \ graphics/jpeg \ graphics/libwebp \ graphics/png \ Index: distinfo === RCS file: /cvs/ports/devel/sdl2-image/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo11 Mar 2018 22:42:00 - 1.3 +++ distinfo19 Jan 2019 09:13:54 - @@ -1,2 +1,2 @@ -SHA256 (SDL2_image-2.0.3.tar.gz) = NRDCXac1/82M47ZQcxUP9Pf5STuGboW4NzgIO1VtI2g= -SIZE (SDL2_image-2.0.3.tar.gz) = 8685512 +SHA256 (SDL2_image-2.0.4.tar.gz) = 507EnCQC6yQvv6FvL0OhlYKnTC6r+/uHPwDUJQA4zqw= +SIZE (SDL2_image-2.0.4.tar.gz) = 11682695 Index: patches/patch-Makefile_in === RCS file: /cvs/ports/devel/sdl2-image/patches/patch-Makefile_in,v retrieving revision 1.2 diff -u -p -r1.2 patch-Makefile_in --- patches/patch-Makefile_in 11 Mar 2018 22:42:00 - 1.2 +++ patches/patch-Makefile_in 19 Jan 2019 09:13:54 - @@ -2,7 +2,7 @@ $OpenBSD: patch-Makefile_in,v 1.2 2018/0 Index: Makefile.in --- Makefile.in.orig +++ Makefile.in -@@ -442,12 +442,10 @@ EXTRA_DIST = \ +@@ -463,12 +463,10 @@ EXTRA_DIST = \ @USE_VERSION_RC_FALSE@libSDL2_image_la_LDFLAGS = \ @USE_VERSION_RC_FALSE@-no-undefined \ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE