[Buildroot] [PATCH 2/2] sdl2_image: security bump to version 2.0.3

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2/2] sdl2_image: security bump to version 2.0.3
Date: Mon, 30 Apr 2018 14:04:59 +0200	[thread overview]
Message-ID: <20180430120459.8438-2-peter@korsgaard.com> (raw)
In-Reply-To: <20180430120459.8438-1-peter@korsgaard.com>

Fixes the following security issues:

CVE-2017-12122: An exploitable code execution vulnerability exists in the
ILBM image rendering functionality of SDL2_image-2.0.2.  A specially crafted
ILBM image can cause a heap overflow resulting in code execution.  An
attacker can display a specially crafted image to trigger this
vulnerability.

CVE-2017-14440: An exploitable code execution vulnerability exists in the
ILBM image rendering functionality of SDL2_image-2.0.2.  A specially crafted
ILBM image can cause a stack overflow resulting in code execution.  An
attacker can display a specially crafted image to trigger this
vulnerability.

CVE-2017-14441: An exploitable code execution vulnerability exists in the
ICO image rendering functionality of SDL2_image-2.0.2.  A specially crafted
ICO image can cause an integer overflow, cascading to a heap overflow
resulting in code execution.  An attacker can display a specially crafted
image to trigger this vulnerability.

CVE-2017-14442: An exploitable code execution vulnerability exists in the
BMP image rendering functionality of SDL2_image-2.0.2.  A specially crafted
BMP image can cause a stack overflow resulting in code execution.  An
attacker can display a specially crafted image to trigger this
vulnerability.

CVE-2017-14448: An exploitable code execution vulnerability exists in the
XCF image rendering functionality of SDL2_image-2.0.2.  A specially crafted
XCF image can cause a heap overflow resulting in code execution.  An
attacker can display a specially crafted image to trigger this
vulnerability.

CVE-2017-14449: A double-Free vulnerability exists in the XCF image
rendering functionality of SDL2_image-2.0.2.  A specially crafted XCF image
can cause a Double-Free situation to occur.  An attacker can display a
specially crafted image to trigger this vulnerability.

CVE-2017-14450: A buffer overflow vulnerability exists in the GIF image
parsing functionality of SDL2_image-2.0.2.  A specially crafted GIF image
can lead to a buffer overflow on a global section.  An attacker can display
an image to trigger this vulnerability.

For details, see the announcement:

https://discourse.libsdl.org/t/sdl-image-2-0-3-released/23958

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/sdl2_image/sdl2_image.hash | 3 ++-
 package/sdl2_image/sdl2_image.mk   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/package/sdl2_image/sdl2_image.hash b/package/sdl2_image/sdl2_image.hash
index 26d0a88cb5..cf3253526c 100644
--- a/package/sdl2_image/sdl2_image.hash
+++ b/package/sdl2_image/sdl2_image.hash
@@ -1,2 +1,3 @@
 # Locally calculated
-sha256 3a3eafbceea5125c04be585373bfd8b3a18f259bd7eae3efc4e6d8e60e0d7f64  SDL2_image-2.0.1.tar.gz
+sha256 3510c25da735ffcd8ce3b65073150ff4f7f9493b866e85b83738083b556d2368  SDL2_image-2.0.3.tar.gz
+sha256 13240ed78c8726c510b9634976430d3d3a9ea2d1ced3214119766e9e71568a35  COPYING.txt
diff --git a/package/sdl2_image/sdl2_image.mk b/package/sdl2_image/sdl2_image.mk
index 71a9634023..8c1c5f6e1a 100644
--- a/package/sdl2_image/sdl2_image.mk
+++ b/package/sdl2_image/sdl2_image.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-SDL2_IMAGE_VERSION = 2.0.1
+SDL2_IMAGE_VERSION = 2.0.3
 SDL2_IMAGE_SOURCE = SDL2_image-$(SDL2_IMAGE_VERSION).tar.gz
 SDL2_IMAGE_SITE = http://www.libsdl.org/projects/SDL_image/release
 SDL2_IMAGE_INSTALL_STAGING = YES
-- 
2.11.0

next prev parent reply	other threads:[~2018-04-30 12:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-30 12:04 [Buildroot] [PATCH 1/2] sdl2: bump version to 2.0.8 Peter Korsgaard
2018-04-30 12:04 ` Peter Korsgaard [this message]
2018-05-01  7:33   ` [Buildroot] [PATCH 2/2] sdl2_image: security bump to version 2.0.3 Peter Korsgaard
2018-04-30 15:41 ` [Buildroot] [PATCH 1/2] sdl2: bump version to 2.0.8 Thomas Petazzoni
2018-05-01  7:33 ` Peter Korsgaard

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:26d0a88cb dfblob:cf3253526 dfblob:71a963402 dfblob:8c1c5f6e1 )
 OR (
bs:"[Buildroot] [PATCH 2/2] sdl2_image: security bump to version 2.0.3" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180430120459.8438-2-peter@korsgaard.com \
    --to=peter@korsgaard.com \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.