Accepting request 1302932 from devel:libraries:c_c++

- add 0001-Fix-a-heap-buffer-overflow-problem-reported-by-err2z.patch
  (bsc#1248454, CVE-2025-9300)

OBS-URL: https://build.opensuse.org/request/show/1302932
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsixel?expand=0&rev=3

0001-Fix-a-heap-buffer-overflow-problem-reported-by-err2z.patch

@@ -0,0 +1,18 @@
+From 316c086e79d66b62c0c4bc66229ee894e4fdb7d1 Mon Sep 17 00:00:00 2001
+From: Hayaki Saito <saitoha@me.com>
+Date: Tue, 12 Aug 2025 21:30:24 +0900
+Subject: [PATCH] Fix a heap-buffer-overflow problem reported by @err2zero
+
+--- a/src/encoder.c
++++ b/src/encoder.c
+@@ -744,9 +744,9 @@ sixel_debug_print_palette(
+     fprintf(stderr, "palette:\n");
+     for (i = 0; i < sixel_dither_get_num_of_palette_colors(dither); ++i) {
+         fprintf(stderr, "%d: #%02x%02x%02x\n", i,
++                palette[i * 3 + 0],
+                 palette[i * 3 + 1],
+-                palette[i * 3 + 2],
+-                palette[i * 3 + 3]);
++                palette[i * 3 + 2]);
+     }
+ }

libsixel-1.10.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:028552eb8f2a37c6effda88ee5e8f6d87b5d9601182ddec784a9728865f821e0
-size 4272940

libsixel-1.10.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b6654928bd423f92e6da39eb1f40f10000ae2cc6247247fc1882dcff6acbdfc8
+size 4286415

libsixel.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Sep  5 12:46:55 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- add 0001-Fix-a-heap-buffer-overflow-problem-reported-by-err2z.patch
+  (bsc#1248454, CVE-2025-9300)
+
+-------------------------------------------------------------------
+Thu Feb 27 20:25:06 UTC 2025 - Enrico Belleri <kilgore.trout@idesmi.eu>
+
+- Update to version 1.10.5:
+  * Some bugfixes and protective mechanisms
+- Drop static-libs.patch
+
 -------------------------------------------------------------------
 Fri Feb 18 23:14:42 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
 

libsixel.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libsixel
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
 
 %define _sover 1
 Name:           libsixel
-Version:        1.10.3
+Version:        1.10.5
 Release:        0
 Summary:        SIXEL encoder/decoder
 License:        MIT
@@ -26,7 +26,8 @@ Group:          Development/Libraries/C and C++
 URL:            https://github.com/libsixel/libsixel
 Source:         https://github.com/libsixel/libsixel/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         meson.patch
-Patch1:         static-libs.patch
+# CVE-2025-9300
+Patch1:         0001-Fix-a-heap-buffer-overflow-problem-reported-by-err2z.patch
 BuildRequires:  bash
 BuildRequires:  meson
 BuildRequires:  pkgconfig

meson.patch

@@ -2,11 +2,11 @@
  meson.build |   20 ++++++++++----------
  1 file changed, 10 insertions(+), 10 deletions(-)
 
-Index: b/meson.build
+Index: libsixel-1.10.5/meson.build
 ===================================================================
---- a/meson.build
-+++ b/meson.build
-@@ -27,7 +27,7 @@ if cc.compiles('''
+--- libsixel-1.10.5.orig/meson.build
++++ libsixel-1.10.5/meson.build
+@@ -25,7 +25,7 @@ if cc.compiles('''
      #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
      __attribute__((deprecated)) void test(void) {}
  ''')
@@ -15,57 +15,3 @@ Index: b/meson.build
  endif
  
  c_args = [
-@@ -101,24 +101,24 @@ pymod = import('python')
- python2_installation = pymod.find_installation('python2', required: get_option('python2'))
- 
- if get_option('libcurl').enabled() and curl_found.found()
--  conf_data.set('HAVE_LIBCURL', true)
-+  conf_data.set('HAVE_LIBCURL', 1)
-   libsixel_deps += [curl_found]
- endif
- 
--if get_option('jpeg').enabled() and jpeg_found
--  conf_data.set('HAVE_JPEG', true)
-+if get_option('jpeg').enabled() and jpeg_found.found()
-+  conf_data.set('HAVE_JPEG', 1)
-   libsixel_deps += [jpeg_found]
- endif
- 
--if get_option('png').enabled() and png_found
--  conf_data.set('HAVE_PNG', true)
-+if get_option('png').enabled() and png_found.found()
-+  conf_data.set('HAVE_PNG', 1)
-   libsixel_deps += [png_found]
- endif
- 
- loaders = ['stb-image']
- 
- if get_option('gd').enabled() and gd_found.found()
--  conf_data.set('HAVE_GD', true)
-+  conf_data.set('HAVE_GD', 1)
-   libsixel_deps += [gd_found]
-   loaders += ['gd']
- 
-@@ -132,19 +132,19 @@ if get_option('gd').enabled() and gd_fou
- 
-   foreach f : gd_funcs
-     if cc.has_function(f, dependencies: gd_found)
--      conf_data.set('HAVE_DECL_@0@'.format(f.to_upper()), true)
-+      conf_data.set('HAVE_DECL_@0@'.format(f.to_upper()), 1)
-     endif
-   endforeach
- endif
- 
- if get_option('gdk-pixbuf2').enabled() and gdkpixbuf2_found.found()
--  conf_data.set('HAVE_GDK_PIXBUF2', true)
-+  conf_data.set('HAVE_GDK_PIXBUF2', 1)
-   libsixel_deps += [gdkpixbuf2_found]
-   loaders += ['gdk-pixbuf2']
- endif
- 
- if have_getopt_long
--  conf_data.set('HAVE_GETOPT_LONG', true)
-+  conf_data.set('HAVE_GETOPT_LONG', 1)
- endif
- 
- configure_file(output: 'config.h', configuration: conf_data)

static-libs.patch

@@ -1,17 +0,0 @@
----
- src/meson.build |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: b/src/meson.build
-===================================================================
---- a/src/meson.build
-+++ b/src/meson.build
-@@ -21,7 +21,7 @@ sources = [
-   'writer.c'
- ]
- 
--libsixel = both_libraries('sixel',
-+libsixel = shared_library('sixel',
-   sources,
-   include_directories: [inc, inc_config],
-   dependencies: libsixel_deps,