Re: Security update: sdl2-image 2.0.4
On Sat, Jan 19 2019, Thomas Frohwein wrote: > On Sat, Jan 19, 2019 at 10:29:53AM +0100, Jeremie Courreges-Anglas wrote: > [...] >> - the Makefile diff doesn't apply, it seems like it has been produced >> before the latest commit to sdl2-image/Makefile. > > My bad, the dir in mystuff was from an outdated checkout. > >> - no change in public headers and no exported symbol added/removed, says >> check_sym, so the shared lib bump isn't needed > [...] >> - libsamplerate is an indirect dependency brought in by libSDL2.la. It >> shouldn't be listed in LIB_DEPENDS. >> >> Not sure how useful the remaining LIB_DEPENDS change below is, but you >> won't be able to push it to -stable since 6.4 only has sdl2-2.0.8. > > I added that because it released with sdl2-2.0.9 and didn't account for > how that would prevent working with -stable. I can't find anything on a > minimum sdl2 version for sdl2-images-2.0.4, so leaving it as is for now. > > New diff taking all of these points into account here below. ok? Yup, ok jca@ (also for -stable) -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: Security update: sdl2-image 2.0.4
On Sat, Jan 19, 2019 at 10:29:53AM +0100, Jeremie Courreges-Anglas wrote:
[...]
> - the Makefile diff doesn't apply, it seems like it has been produced
> before the latest commit to sdl2-image/Makefile.
My bad, the dir in mystuff was from an outdated checkout.
> - no change in public headers and no exported symbol added/removed, says
> check_sym, so the shared lib bump isn't needed
[...]
> - libsamplerate is an indirect dependency brought in by libSDL2.la. It
> shouldn't be listed in LIB_DEPENDS.
>
> Not sure how useful the remaining LIB_DEPENDS change below is, but you
> won't be able to push it to -stable since 6.4 only has sdl2-2.0.8.
I added that because it released with sdl2-2.0.9 and didn't account for
how that would prevent working with -stable. I can't find anything on a
minimum sdl2 version for sdl2-images-2.0.4, so leaving it as is for now.
New diff taking all of these points into account here below. ok?
Index: Makefile
===
RCS file: /cvs/ports/devel/sdl2-image/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- Makefile6 Jan 2019 21:26:02 - 1.10
+++ Makefile19 Jan 2019 19:08:05 -
@@ -1,13 +1,12 @@
# $OpenBSD: Makefile,v 1.10 2019/01/06 21:26:02 thfr Exp $
-V =2.0.3
+V =2.0.4
COMMENT = SDL2 image library
DISTNAME = SDL2_image-${V}
PKGNAME = sdl2-image-${V}
-REVISION = 0
CATEGORIES = devel graphics
-SHARED_LIBS += SDL2_image 0.1 # 0.3
+SHARED_LIBS += SDL2_image 0.1 # 0.4
HOMEPAGE = https://www.libsdl.org/projects/SDL_image/
@@ -18,7 +17,7 @@ PERMIT_PACKAGE_CDROM =Yes
MASTER_SITES = https://www.libsdl.org/projects/SDL_image/release/
-WANTLIB += SDL2 jpeg m png pthread sndio tiff usbhid webp z samplerate
+WANTLIB += SDL2 jpeg m png16 pthread sndio tiff usbhid webp z samplerate
LIB_DEPENDS = devel/sdl2>=2.0.8 \
graphics/jpeg \
Index: distinfo
===
RCS file: /cvs/ports/devel/sdl2-image/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo11 Mar 2018 22:42:00 - 1.3
+++ distinfo19 Jan 2019 19:08:05 -
@@ -1,2 +1,2 @@
-SHA256 (SDL2_image-2.0.3.tar.gz) = NRDCXac1/82M47ZQcxUP9Pf5STuGboW4NzgIO1VtI2g=
-SIZE (SDL2_image-2.0.3.tar.gz) = 8685512
+SHA256 (SDL2_image-2.0.4.tar.gz) = 507EnCQC6yQvv6FvL0OhlYKnTC6r+/uHPwDUJQA4zqw=
+SIZE (SDL2_image-2.0.4.tar.gz) = 11682695
Index: patches/patch-Makefile_in
===
RCS file: /cvs/ports/devel/sdl2-image/patches/patch-Makefile_in,v
retrieving revision 1.2
diff -u -p -r1.2 patch-Makefile_in
--- patches/patch-Makefile_in 11 Mar 2018 22:42:00 - 1.2
+++ patches/patch-Makefile_in 19 Jan 2019 19:08:05 -
@@ -2,7 +2,7 @@ $OpenBSD: patch-Makefile_in,v 1.2 2018/0
Index: Makefile.in
--- Makefile.in.orig
+++ Makefile.in
-@@ -442,12 +442,10 @@ EXTRA_DIST = \
+@@ -463,12 +463,10 @@ EXTRA_DIST = \
@USE_VERSION_RC_FALSE@libSDL2_image_la_LDFLAGS = \
@USE_VERSION_RC_FALSE@-no-undefined \
Re: Security update: sdl2-image 2.0.4
On Fri, Jan 18 2019, Thomas Frohwein wrote:
> Hi,
>
> Please find below the security update to sdl2-image 2.0.4. It fixes the
> TALOS-2018-0645 code execution vulnerability where a specially crafted
> XCF image can cause a heap overflow [1]. Official release notes [2] are
> short, as is the commit history [3]. The latter also mentions an update
> to the libwebp version.
>
> port-lib-depends-check also revealed that this now links libpng16
> instead of libpng.
>
> Brief testing done with most of the sdl2-image consumers. No issue
> observed with any of them except for supertux and that doesn't seem
> due to sdl2-image:
>
> With supertux I get the following error on start:
>
> [FATAL]
> /usr/obj/ports/supertux-0.5.1/SuperTux-v0.5.1-Source/src/supertux/main.cpp:510
> Unexpected exception: Couldn't open
> 'images/engine/icons/supertux-256x256.png': not found
>
> This also occurs with sdl2-image-2.0.3p0. This file exists in
> /usr/local/share/supertux2/images/engine/icons/supertux-256x256.png.
> Running supertux2 from /usr/local/share/supertux2/ doesn't fix it. With
> this being the only noticeable issue, I highly doubt that sdl2-image is
> the problem. CC'd maintainer.
>
> I'm planning to add a CVE entry to quirks after this is committed if
> that's okay.
>
> ok?
- the Makefile diff doesn't apply, it seems like it has been produced
before the latest commit to sdl2-image/Makefile.
- no change in public headers and no exported symbol added/removed, says
check_sym, so the shared lib bump isn't needed
/usr/local/lib/libSDL2_image.so.0.1 --> usr/local/lib/libSDL2_image.so.0.1
No dynamic export changes
External reference changes:
removed:
memcpy
- libsamplerate is an indirect dependency brought in by libSDL2.la. It
shouldn't be listed in LIB_DEPENDS.
Not sure how useful the remaining LIB_DEPENDS change below is, but you
won't be able to push it to -stable since 6.4 only has sdl2-2.0.8.
Index: Makefile
===
RCS file: /cvs/ports/devel/sdl2-image/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- Makefile6 Jan 2019 21:26:02 - 1.10
+++ Makefile19 Jan 2019 09:13:54 -
@@ -1,10 +1,9 @@
# $OpenBSD: Makefile,v 1.10 2019/01/06 21:26:02 thfr Exp $
-V =2.0.3
+V =2.0.4
COMMENT = SDL2 image library
DISTNAME = SDL2_image-${V}
PKGNAME = sdl2-image-${V}
-REVISION = 0
CATEGORIES = devel graphics
SHARED_LIBS += SDL2_image 0.1 # 0.3
@@ -18,9 +17,9 @@ PERMIT_PACKAGE_CDROM =Yes
MASTER_SITES = https://www.libsdl.org/projects/SDL_image/release/
-WANTLIB += SDL2 jpeg m png pthread sndio tiff usbhid webp z samplerate
+WANTLIB += SDL2 jpeg m png16 pthread sndio tiff usbhid webp z samplerate
-LIB_DEPENDS = devel/sdl2>=2.0.8 \
+LIB_DEPENDS = devel/sdl2>=2.0.9 \
graphics/jpeg \
graphics/libwebp \
graphics/png \
Index: distinfo
===
RCS file: /cvs/ports/devel/sdl2-image/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo11 Mar 2018 22:42:00 - 1.3
+++ distinfo19 Jan 2019 09:13:54 -
@@ -1,2 +1,2 @@
-SHA256 (SDL2_image-2.0.3.tar.gz) = NRDCXac1/82M47ZQcxUP9Pf5STuGboW4NzgIO1VtI2g=
-SIZE (SDL2_image-2.0.3.tar.gz) = 8685512
+SHA256 (SDL2_image-2.0.4.tar.gz) = 507EnCQC6yQvv6FvL0OhlYKnTC6r+/uHPwDUJQA4zqw=
+SIZE (SDL2_image-2.0.4.tar.gz) = 11682695
Index: patches/patch-Makefile_in
===
RCS file: /cvs/ports/devel/sdl2-image/patches/patch-Makefile_in,v
retrieving revision 1.2
diff -u -p -r1.2 patch-Makefile_in
--- patches/patch-Makefile_in 11 Mar 2018 22:42:00 - 1.2
+++ patches/patch-Makefile_in 19 Jan 2019 09:13:54 -
@@ -2,7 +2,7 @@ $OpenBSD: patch-Makefile_in,v 1.2 2018/0
Index: Makefile.in
--- Makefile.in.orig
+++ Makefile.in
-@@ -442,12 +442,10 @@ EXTRA_DIST = \
+@@ -463,12 +463,10 @@ EXTRA_DIST = \
@USE_VERSION_RC_FALSE@libSDL2_image_la_LDFLAGS = \
@USE_VERSION_RC_FALSE@-no-undefined \
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
