diff --git a/CVE-2019-13616.patch b/CVE-2019-13616.patch new file mode 100644 index 0000000..10e5ac9 --- /dev/null +++ b/CVE-2019-13616.patch @@ -0,0 +1,15 @@ +diff -r b810b78d32cc -r e7ba650a643a src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Thu Jul 25 08:05:13 2019 -0500 ++++ b/src/video/SDL_bmp.c Tue Jul 30 11:00:00 2019 -0700 +@@ -226,6 +226,11 @@ + SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR); + } + } ++ if (biWidth <= 0 || biHeight == 0) { ++ SDL_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight); ++ was_error = SDL_TRUE; ++ goto done; ++ } + if (biHeight < 0) { + topDown = SDL_TRUE; + biHeight = -biHeight; diff --git a/SDL2-2.0.10.tar.gz b/SDL2-2.0.10.tar.gz new file mode 100644 index 0000000..6c1f190 --- /dev/null +++ b/SDL2-2.0.10.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b4656c13a1f0d0023ae2f4a9cf08ec92fffb464e0f24238337784159b8b91d57 +size 5550762 diff --git a/SDL2-2.0.10.tar.gz.sig b/SDL2-2.0.10.tar.gz.sig new file mode 100644 index 0000000..6a5931b Binary files /dev/null and b/SDL2-2.0.10.tar.gz.sig differ diff --git a/SDL2-2.0.9.tar.gz b/SDL2-2.0.9.tar.gz deleted file mode 100644 index 79c51d1..0000000 --- a/SDL2-2.0.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:255186dc676ecd0c1dbf10ec8a2cc5d6869b5079d8a38194c2aecdff54b324b1 -size 5246942 diff --git a/SDL2-2.0.9.tar.gz.sig b/SDL2-2.0.9.tar.gz.sig deleted file mode 100644 index 1b673a1..0000000 Binary files a/SDL2-2.0.9.tar.gz.sig and /dev/null differ diff --git a/SDL2.changes b/SDL2.changes index 467ed8e..45114a6 100644 --- a/SDL2.changes +++ b/SDL2.changes @@ -1,3 +1,65 @@ +------------------------------------------------------------------- +Fri Aug 23 11:19:59 UTC 2019 - Jan Engelhardt + +- Update sdl2-symvers.patch for SDL 2.0.9/2.0.10. + +------------------------------------------------------------------- +Thu Aug 22 16:43:13 UTC 2019 - Michael Gorse + +- Add CVE-2019-13616.patch: fix heap buffer overflow when reading + a crafted bmp file (boo#1141844 CVE-2019-13616). + +------------------------------------------------------------------- +Sun Aug 11 04:29:55 UTC 2019 - Jan Engelhardt + +- Drop libSDL2main.a from libSDL-2_0-devel. It is only used + during build. + +------------------------------------------------------------------- +Wed Jul 31 08:47:44 UTC 2019 - Martin Liška + +- Use FAT LTO objects in order to provide proper static library. + +------------------------------------------------------------------- +Fri Jul 26 07:44:39 UTC 2019 - Luigi Baldoni + +- Update to version 2.0.10 + * The SDL_RW* macros have been turned into functions that are + available only in 2.0.10 and onward + * Added SDL_SIMDGetAlignment(), SDL_SIMDAlloc(), and + SDL_SIMDFree(), to allocate memory aligned for SIMD + operations for the current CPU + * Added SDL_RenderDrawPointF(), SDL_RenderDrawPointsF(), + SDL_RenderDrawLineF(), SDL_RenderDrawLinesF(), + SDL_RenderDrawRectF(), SDL_RenderDrawRectsF(), + SDL_RenderFillRectF(), SDL_RenderFillRectsF(), + SDL_RenderCopyF(), SDL_RenderCopyExF(), to allow floating + point precision in the SDL rendering API. + * Added SDL_GetTouchDeviceType() to get the type of a touch + device, which can be a touch screen or a trackpad in relative + or absolute coordinate mode. + * The SDL rendering API now uses batched rendering by default, + for improved performance + * Added SDL_RenderFlush() to force batched render commands to + execute, if you're going to mix SDL rendering with native + rendering + * Added the hint SDL_HINT_RENDER_BATCHING to control whether + batching should be used for the rendering API. This defaults + to "1" if you don't specify what rendering driver to use when + creating the renderer. + * Added the hint SDL_HINT_EVENT_LOGGING to enable logging of + SDL events for debugging purposes + * Added the hint SDL_HINT_GAMECONTROLLERCONFIG_FILE to specify + a file that will be loaded at joystick initialization with + game controller bindings + * Added the hint SDL_HINT_MOUSE_TOUCH_EVENTS to control + whether SDL will synthesize touch events from mouse events + * Improved handling of malformed WAVE and BMP files, fixing + potential security exploits (boo#1142031 CVE-2019-13626) + * Removed the Mir video driver in favor of Wayland + +- Refreshed sdl2-symvers.patch + ------------------------------------------------------------------- Sun Nov 4 14:10:15 UTC 2018 - Luigi Baldoni @@ -45,12 +107,12 @@ Sun Nov 4 14:10:15 UTC 2018 - Luigi Baldoni ------------------------------------------------------------------- Sun Jun 24 22:40:23 UTC 2018 - robert.munteanu@gmail.com -- Add 7babfecee045.patch, fixes launching Firewatch +- Add 7babfecee045.patch, fixes launching Firewatch ------------------------------------------------------------------- Fri May 11 11:08:39 UTC 2018 - crrodriguez@opensuse.org -- SDL2-endian.patch: bring up patch from SDL1, use optimized +- SDL2-endian.patch: bring up patch from SDL1, use optimized byteswap routines from the C library. - build with --disable-3dnow, do not pass -m3dnow to the compiler modern cpus do not support this instructions at all. diff --git a/SDL2.spec b/SDL2.spec index 8b71dcc..2d2e229 100644 --- a/SDL2.spec +++ b/SDL2.spec @@ -1,7 +1,7 @@ # # spec file for package SDL2 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,9 +16,10 @@ # +%define sle_version 0 Name: SDL2 %define lname libSDL2-2_0-0 -Version: 2.0.9 +Version: 2.0.10 Release: 0 Summary: Simple DirectMedia Layer Library License: Zlib @@ -32,6 +33,7 @@ Source3: %name.keyring Source4: baselibs.conf Patch1: sdl2-symvers.patch Patch2: SDL2-endian.patch +Patch3: CVE-2019-13616.patch BuildRequires: cmake BuildRequires: dos2unix BuildRequires: gcc-c++ @@ -108,8 +110,7 @@ This package contains files needed for development with the SDL2 library. %prep -%setup -q -%patch -P 1 -P 2 -p1 +%autosetup -p1 dos2unix WhatsNew.txt dos2unix TODO.txt dos2unix BUGS.txt @@ -119,6 +120,7 @@ dos2unix CREDITS.txt dos2unix COPYING.txt %build +%global _lto_cflags %{_lto_cflags} -ffat-lto-objects # In this instance, we do want --with-pic because of libSDL2main.a. %configure --with-pic --disable-alsa-shared --disable-video-directfb \ --enable-video-kmsdrm --enable-video-wayland \ @@ -128,17 +130,15 @@ dos2unix COPYING.txt %ifarch ix86 --enable-sse2=no \ %endif - --enable-sse3=no \ - --disable-rpath \ - --disable-3dnow + --enable-sse3=no --disable-rpath --disable-3dnow make %{?_smp_mflags} V=1 %install -make install DESTDIR="%buildroot" +%make_install rm -f "%buildroot/%_libdir"/*.la # We do not want static libs, but using --disable-static leads to make aborting -# halfway through. SDL2main.a we need to keep(?) for the stub symbol. -find "%buildroot/%_libdir" -type f -name "*.a" ! -name "libSDL2main.a" -delete +# halfway through %%build. Now it can be removed though. +rm -f "%buildroot/%_libdir/"*.a %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig @@ -152,7 +152,6 @@ find "%buildroot/%_libdir" -type f -name "*.a" ! -name "libSDL2main.a" -delete %doc TODO.txt WhatsNew.txt %_bindir/sdl2-config %_libdir/libSDL2.so -%_libdir/libSDL2main.a %_includedir/SDL2/ %_datadir/aclocal/sdl2.m4 %_libdir/pkgconfig/sdl2.pc diff --git a/sdl2-symvers.patch b/sdl2-symvers.patch index ab63d84..d14463f 100644 --- a/sdl2-symvers.patch +++ b/sdl2-symvers.patch @@ -4,28 +4,28 @@ Date: 2018-01-10 23:56:12.245827883 +0100 Scrape the SDL announcements since 2.0.3 (version in Leap 42.3) and add some symvers so that zypper knows when to upgrade SDL. --- - Makefile.in | 2 - - sdl2.sym | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 69 insertions(+), 1 deletion(-) + Makefile.in | 2 + sdl2.sym | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 125 insertions(+), 1 deletion(-) -Index: SDL2-2.0.8/Makefile.in +Index: SDL2-2.0.10/Makefile.in =================================================================== ---- SDL2-2.0.8.orig/Makefile.in -+++ SDL2-2.0.8/Makefile.in -@@ -122,7 +122,7 @@ LT_AGE = @LT_AGE@ +--- SDL2-2.0.10.orig/Makefile.in ++++ SDL2-2.0.10/Makefile.in +@@ -125,7 +125,7 @@ LT_AGE = @LT_AGE@ LT_CURRENT = @LT_CURRENT@ LT_RELEASE = @LT_RELEASE@ LT_REVISION = @LT_REVISION@ -LT_LDFLAGS = -no-undefined -rpath $(libdir) -release $(LT_RELEASE) -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) +LT_LDFLAGS = -no-undefined -rpath $(libdir) -release $(LT_RELEASE) -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) -Wl,--version-script=sdl2.sym - all: $(srcdir)/configure Makefile $(objects) $(objects)/$(TARGET) $(objects)/$(SDLMAIN_TARGET) $(objects)/$(SDLTEST_TARGET) + all: $(srcdir)/configure Makefile $(objects)/$(TARGET) $(objects)/$(SDLMAIN_TARGET) $(objects)/$(SDLTEST_TARGET) -Index: SDL2-2.0.8/sdl2.sym +Index: SDL2-2.0.10/sdl2.sym =================================================================== --- /dev/null -+++ SDL2-2.0.8/sdl2.sym -@@ -0,0 +1,68 @@ ++++ SDL2-2.0.10/sdl2.sym +@@ -0,0 +1,124 @@ +SUSE_2.0.5 { +global: + SDL_DequeueAudio; @@ -94,3 +94,59 @@ Index: SDL2-2.0.8/sdl2.sym + SDL_SetYUVConversionMode; + SDL_GetYUVConversionMode; +} SUSE_2.0.7; ++SUSE_2.0.9 { ++global: ++ SDL_CreateThreadWithStackSize; ++ SDL_GameControllerGetPlayerIndex; ++ SDL_GameControllerMappingForDeviceIndex; ++ SDL_GameControllerRumble; ++ SDL_GetDisplayOrientation; ++ SDL_HasAVX512F; ++ SDL_HasColorKey; ++ SDL_IsTablet; ++ SDL_JoystickGetDevicePlayerIndex; ++ SDL_JoystickGetPlayerIndex; ++ SDL_JoystickRumble; ++ SDL_LinuxSetThreadPriority; ++ SDL_NumSensors; ++ SDL_SensorClose; ++ SDL_SensorFromInstanceID; ++ SDL_SensorGetData; ++ SDL_SensorGetDeviceInstanceID; ++ SDL_SensorGetDeviceName; ++ SDL_SensorGetDeviceNonPortableType; ++ SDL_SensorGetDeviceType; ++ SDL_SensorGetInstanceID; ++ SDL_SensorGetName; ++ SDL_SensorGetNonPortableType; ++ SDL_SensorGetType; ++ SDL_SensorOpen; ++ SDL_SensorUpdate; ++ SDL_exp; ++ SDL_expf; ++ SDL_wcsdup; ++} SUSE_2.0.8; ++SUSE_2.0.10 { ++global: ++ SDL_GetTouchDeviceType; ++ SDL_RWclose; ++ SDL_RWread; ++ SDL_RWseek; ++ SDL_RWsize; ++ SDL_RWtell; ++ SDL_RWwrite; ++ SDL_RenderCopyExF; ++ SDL_RenderCopyF; ++ SDL_RenderDrawLineF; ++ SDL_RenderDrawLinesF; ++ SDL_RenderDrawPointF; ++ SDL_RenderDrawPointsF; ++ SDL_RenderDrawRectF; ++ SDL_RenderDrawRectsF; ++ SDL_RenderFillRectF; ++ SDL_RenderFillRectsF; ++ SDL_RenderFlush; ++ SDL_SIMDAlloc; ++ SDL_SIMDFree; ++ SDL_SIMDGetAlignment; ++} SUSE_2.0.9;