Accepting request 725636 from games

- Add CVE-2019-13616.patch: fix heap buffer overflow when reading a crafted bmp file (boo#1141844 CVE-2019-13616). - Update to new upstream release 2.0.5 * Fixed TALOS-2019-0820 CVE-2019-5051 * Fixed TALOS-2019-0821 CVE-2019-5052 * Fixed TALOS-2019-0841 CVE-2019-5057 boo#1143763 * Fixed TALOS-2019-0842 CVE-2019-5058 boo#1143764 * Fixed TALOS-2019-0843 CVE-2019-5059 boo#1143766 * Fixed TALOS-2019-0844 CVE-2019-5060 boo#1143768 - Not mentioned by upstream, but issues seemingly further fixed: * Fixed CVE-2019-12218 boo#1135789 * Fixed CVE-2019-12217 boo#1135787 * Fixed CVE-2019-12220 boo#1135806 * Fixed CVE-2019-12221 boo#1135796 * Fixed CVE-2019-12222 boo#1136101 OBS-URL: https://build.opensuse.org/request/show/725636 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/SDL2_image?expand=0&rev=11
2019-08-28 14:02:19 +00:00 · 2019-08-28 14:02:19 +00:00 · fc1c3cc3a9
commit fc1c3cc3a9
parent cc95d10648 5f507c54b6
5 changed files with 52 additions and 15 deletions
--- a/CVE-2019-13616.patch
+++ b/CVE-2019-13616.patch
@ -0,0 +1,15 @@
+diff -r f1baffa48926 -r ba45f00879ba IMG_bmp.c
+--- a/IMG_bmp.c	Tue Jul 30 10:16:02 2019 -0700
+++ b/IMG_bmp.c	Tue Jul 30 11:00:12 2019 -0700
+@@ -351,6 +351,11 @@
+             SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR);
+         }
+     }
+    if (biWidth <= 0 || biHeight == 0) {
+        IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
+        was_error = SDL_TRUE;
+        goto done;
+    }
+     if (biHeight < 0) {
+         topDown = SDL_TRUE;
+         biHeight = -biHeight;
--- a/SDL2_image-2.0.4.tar.gz
+++ b/SDL2_image-2.0.4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e74ec49c2402eb242fbfa16f2f43a19582a74c2eabfbfb873f00d4250038ceac
-size 11682695
--- a/SDL2_image-2.0.5.tar.gz
+++ b/SDL2_image-2.0.5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bdd5f6e026682f7d7e1be0b6051b209da2f402a2dd8bd1c4bd9c25ad263108d0
+size 11736518
--- a/SDL2_image.changes
+++ b/SDL2_image.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Fri Aug 23 14:04:59 UTC 2019 - Michael Gorse <mgorse@suse.com>
+
+- Add CVE-2019-13616.patch: fix heap buffer overflow when reading
+  a crafted bmp file (boo#1141844 CVE-2019-13616).
+
+-------------------------------------------------------------------
+Fri Aug 23 09:53:45 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to new upstream release 2.0.5
+  * Fixed TALOS-2019-0820 CVE-2019-5051
+  * Fixed TALOS-2019-0821 CVE-2019-5052
+  * Fixed TALOS-2019-0841 CVE-2019-5057 boo#1143763
+  * Fixed TALOS-2019-0842 CVE-2019-5058 boo#1143764
+  * Fixed TALOS-2019-0843 CVE-2019-5059 boo#1143766
+  * Fixed TALOS-2019-0844 CVE-2019-5060 boo#1143768
+- Not mentioned by upstream, but issues seemingly further fixed:
+  * Fixed CVE-2019-12218 boo#1135789
+  * Fixed CVE-2019-12217 boo#1135787
+  * Fixed CVE-2019-12220 boo#1135806
+  * Fixed CVE-2019-12221 boo#1135796
+  * Fixed CVE-2019-12222 boo#1136101
+
 -------------------------------------------------------------------
 Wed Nov  7 20:56:03 UTC 2018 - Jan Engelhardt <jengelh@inai.de>

--- a/SDL2_image.spec
+++ b/SDL2_image.spec
@ -1,7 +1,7 @@
 #
 # spec file for package SDL2_image
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -18,16 +18,17 @@

 Name:           SDL2_image
 %define lname	libSDL2_image-2_0-0
-Version:        2.0.4
+Version:        2.0.5
 Release:        0
-Summary:        SDL2 image loading library
+Summary:        Simple DirectMedia Layer 2 image loading library
 License:        Zlib
 Group:          Development/Libraries/X11
-Url:            http://libsdl.org/projects/SDL_image/
+URL:            https://libsdl.org/projects/SDL_image/

 #Hg-Clone:	http://hg.libsdl.org/SDL_image/
-Source:         http://libsdl.org/projects/SDL_image/release/%name-%version.tar.gz
+Source:         https://libsdl.org/projects/SDL_image/release/%name-%version.tar.gz
 Source2:        baselibs.conf
+Patch1:         CVE-2019-13616.patch
 BuildRequires:  dos2unix
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
@ -35,7 +36,6 @@ BuildRequires:  pkg-config
 BuildRequires:  pkgconfig(libpng)
 BuildRequires:  pkgconfig(libwebp)
 BuildRequires:  pkgconfig(sdl2) >= 2.0.8
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
 This is a simple library to load images of various formats as SDL
@ -43,7 +43,7 @@ surfaces. This library supports the BMP, PPM, PCX, GIF, JPEG, PNG,
 TIFF and WEBP formats.

 %package -n %lname
-Summary:        Simple DirectMedia Layer 2 – Image Loading Library
+Summary:        Simple DirectMedia Layer 2 image loading library
 Group:          System/Libraries
 Provides:       SDL2_image = %version-%release

@ -64,7 +64,7 @@ surfaces. This library supports the BMP, PPM, PCX, GIF, JPEG, PNG,
 TIFF and WEBP formats.

 %prep
-%setup -q
+%autosetup -p1
 dos2unix *.txt
 rm -rf external

@ -74,19 +74,18 @@ rm -rf external
 make %{?_smp_mflags}

 %install
-make install DESTDIR="%buildroot"
+%make_install
 rm -f "%buildroot/%_libdir"/*.la

 %post   -n %lname -p /sbin/ldconfig
 %postun -n %lname -p /sbin/ldconfig

 %files -n %lname
-%defattr(-,root,root)
-%doc CHANGES.txt COPYING.txt README.txt
+%license COPYING.txt
 %_libdir/libSDL2_image-2*.so.*

 %files -n libSDL2_image-devel
-%defattr(-,root,root)
+%doc CHANGES.txt README.txt
 %_includedir/SDL2/
 %_libdir/libSDL2_image.so
 %_libdir/pkgconfig/SDL2_image.pc