diff --git a/files/security/cve-2017-2887.patch b/files/security/cve-2017-2887.patch new file mode 100644 --- /dev/null +++ b/files/security/cve-2017-2887.patch @@ -0,0 +1,33 @@ +# HG changeset patch +# User Sam Lantinga +# Date 1507329619 25200 +# Fri Oct 06 15:40:19 2017 -0700 +# Node ID 318484db0705d07d4d1f4c0a1d3d5ea69f6ba2b0 +# Parent 7ad06019831d474380fd5a63e518d21219031519 +Fixed security vulnerability in XCF image loader (thanks Yves!) + +diff -r 7ad06019831d -r 318484db0705 IMG_xcf.c +--- a/IMG_xcf.c Mon Sep 18 16:10:17 2017 -0700 ++++ b/IMG_xcf.c Fri Oct 06 15:40:19 2017 -0700 +@@ -251,6 +251,7 @@ + } + + static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) { ++ Uint32 len; + prop->id = SDL_ReadBE32 (src); + prop->length = SDL_ReadBE32 (src); + +@@ -274,7 +275,12 @@ + break; + case PROP_COMPRESSION: + case PROP_COLOR: +- SDL_RWread (src, &prop->data, prop->length, 1); ++ if (prop->length > sizeof(prop->data)) { ++ len = sizeof(prop->data); ++ } else { ++ len = prop->length; ++ } ++ SDL_RWread(src, &prop->data, len, 1); + break; + case PROP_VISIBLE: + prop->data.visible = SDL_ReadBE32 (src); diff --git a/package.yml b/package.yml --- a/package.yml +++ b/package.yml @@ -1,6 +1,6 @@ name : sdl2-image version : 2.0.1 -release : 4 +release : 5 source : - https://www.libsdl.org/projects/SDL_image/release/SDL2_image-2.0.1.tar.gz : 3a3eafbceea5125c04be585373bfd8b3a18f259bd7eae3efc4e6d8e60e0d7f64 license : Zlib @@ -8,24 +8,17 @@ summary : SDL_image is an image file loading library. description: | SDL_image is an image file loading library. +emul32 : yes +optimize : speed builddeps : - - pkgconfig(libpng) - pkgconfig32(libpng) - - pkgconfig32(zlib) - - pkgconfig(libtiff-4) - pkgconfig32(libtiff-4) - - libjpeg-turbo-devel - - libjpeg-turbo-32bit-devel - - pkgconfig(libwebp) - pkgconfig32(libwebp) - - pkgconfig(sdl2) - pkgconfig32(sdl2) - - glibc-32bit-devel - - libgcc-32bit - - libstdc++-32bit -emul32 : yes -optimize : speed + - pkgconfig32(zlib) + - libjpeg-turbo-32bit-devel setup : | + %patch -p1 < $pkgfiles/security/cve-2017-2887.patch %configure --disable-static --prefix=/usr build : | %make diff --git a/pspec_x86_64.xml b/pspec_x86_64.xml --- a/pspec_x86_64.xml +++ b/pspec_x86_64.xml @@ -2,8 +2,8 @@ sdl2-image - Ikey Doherty - ikey@solus-project.com + Pierre-Yves + pyu@riseup.net Zlib multimedia.library @@ -29,7 +29,7 @@ emul32 - sdl2-image + sdl2-image /usr/lib32/lib*.so.* @@ -42,8 +42,8 @@ programming.devel - sdl2-image-32bit - sdl2-image-devel + sdl2-image-32bit + sdl2-image-devel /usr/lib32/lib*.so @@ -57,7 +57,7 @@ programming.devel - sdl2-image + sdl2-image /usr/include/ @@ -66,12 +66,12 @@ - - 2016-08-12 + + 2017-10-11 2.0.1 Packaging update - Ikey Doherty - ikey@solus-project.com + Pierre-Yves + pyu@riseup.net \ No newline at end of file