Accepting request 725636 from games

- Add CVE-2019-13616.patch: fix heap buffer overflow when reading
  a crafted bmp file (boo#1141844 CVE-2019-13616).

- Update to new upstream release 2.0.5
  * Fixed TALOS-2019-0820 CVE-2019-5051
  * Fixed TALOS-2019-0821 CVE-2019-5052
  * Fixed TALOS-2019-0841 CVE-2019-5057 boo#1143763
  * Fixed TALOS-2019-0842 CVE-2019-5058 boo#1143764
  * Fixed TALOS-2019-0843 CVE-2019-5059 boo#1143766
  * Fixed TALOS-2019-0844 CVE-2019-5060 boo#1143768
- Not mentioned by upstream, but issues seemingly further fixed:
  * Fixed CVE-2019-12218 boo#1135789
  * Fixed CVE-2019-12217 boo#1135787
  * Fixed CVE-2019-12220 boo#1135806
  * Fixed CVE-2019-12221 boo#1135796
  * Fixed CVE-2019-12222 boo#1136101

OBS-URL: https://build.opensuse.org/request/show/725636
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/SDL2_image?expand=0&rev=11

CVE-2019-13616.patch

@@ -0,0 +1,15 @@
+diff -r f1baffa48926 -r ba45f00879ba IMG_bmp.c
+--- a/IMG_bmp.c	Tue Jul 30 10:16:02 2019 -0700
++++ b/IMG_bmp.c	Tue Jul 30 11:00:12 2019 -0700
+@@ -351,6 +351,11 @@
+             SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR);
+         }
+     }
++    if (biWidth <= 0 || biHeight == 0) {
++        IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++        was_error = SDL_TRUE;
++        goto done;
++    }
+     if (biHeight < 0) {
+         topDown = SDL_TRUE;
+         biHeight = -biHeight;

SDL2_image-2.0.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e74ec49c2402eb242fbfa16f2f43a19582a74c2eabfbfb873f00d4250038ceac
-size 11682695

SDL2_image-2.0.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bdd5f6e026682f7d7e1be0b6051b209da2f402a2dd8bd1c4bd9c25ad263108d0
+size 11736518

SDL2_image.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Aug 23 14:04:59 UTC 2019 - Michael Gorse <mgorse@suse.com>
+
+- Add CVE-2019-13616.patch: fix heap buffer overflow when reading
+  a crafted bmp file (boo#1141844 CVE-2019-13616).
+
+-------------------------------------------------------------------
+Fri Aug 23 09:53:45 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to new upstream release 2.0.5
+  * Fixed TALOS-2019-0820 CVE-2019-5051
+  * Fixed TALOS-2019-0821 CVE-2019-5052
+  * Fixed TALOS-2019-0841 CVE-2019-5057 boo#1143763
+  * Fixed TALOS-2019-0842 CVE-2019-5058 boo#1143764
+  * Fixed TALOS-2019-0843 CVE-2019-5059 boo#1143766
+  * Fixed TALOS-2019-0844 CVE-2019-5060 boo#1143768
+- Not mentioned by upstream, but issues seemingly further fixed:
+  * Fixed CVE-2019-12218 boo#1135789
+  * Fixed CVE-2019-12217 boo#1135787
+  * Fixed CVE-2019-12220 boo#1135806
+  * Fixed CVE-2019-12221 boo#1135796
+  * Fixed CVE-2019-12222 boo#1136101
+
 -------------------------------------------------------------------
 Wed Nov  7 20:56:03 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
 

SDL2_image.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package SDL2_image
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,16 +18,17 @@
 
 Name:           SDL2_image
 %define lname	libSDL2_image-2_0-0
-Version:        2.0.4
+Version:        2.0.5
 Release:        0
-Summary:        SDL2 image loading library
+Summary:        Simple DirectMedia Layer 2 image loading library
 License:        Zlib
 Group:          Development/Libraries/X11
-Url:            http://libsdl.org/projects/SDL_image/
+URL:            https://libsdl.org/projects/SDL_image/
 
 #Hg-Clone:	http://hg.libsdl.org/SDL_image/
-Source:         http://libsdl.org/projects/SDL_image/release/%name-%version.tar.gz
+Source:         https://libsdl.org/projects/SDL_image/release/%name-%version.tar.gz
 Source2:        baselibs.conf
+Patch1:         CVE-2019-13616.patch
 BuildRequires:  dos2unix
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
@@ -35,7 +36,6 @@ BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(libpng)
 BuildRequires:  pkgconfig(libwebp)
 BuildRequires:  pkgconfig(sdl2) >= 2.0.8
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
 This is a simple library to load images of various formats as SDL
@@ -43,7 +43,7 @@ surfaces. This library supports the BMP, PPM, PCX, GIF, JPEG, PNG,
 TIFF and WEBP formats.
 
 %package -n %lname
-Summary:        Simple DirectMedia Layer 2 – Image Loading Library
+Summary:        Simple DirectMedia Layer 2 image loading library
 Group:          System/Libraries
 Provides:       SDL2_image = %version-%release
 
@@ -64,7 +64,7 @@ surfaces. This library supports the BMP, PPM, PCX, GIF, JPEG, PNG,
 TIFF and WEBP formats.
 
 %prep
-%setup -q
+%autosetup -p1
 dos2unix *.txt
 rm -rf external
 
@@ -74,19 +74,18 @@ rm -rf external
 make %{?_smp_mflags}
 
 %install
-make install DESTDIR="%buildroot"
+%make_install
 rm -f "%buildroot/%_libdir"/*.la
 
 %post   -n %lname -p /sbin/ldconfig
 %postun -n %lname -p /sbin/ldconfig
 
 %files -n %lname
-%defattr(-,root,root)
+%license COPYING.txt
-%doc CHANGES.txt COPYING.txt README.txt
 %_libdir/libSDL2_image-2*.so.*
 
 %files -n libSDL2_image-devel
-%defattr(-,root,root)
+%doc CHANGES.txt README.txt
 %_includedir/SDL2/
 %_libdir/libSDL2_image.so
 %_libdir/pkgconfig/SDL2_image.pc