[Buildroot] [PATCH] package/sdl2_image: security bump to version 2.8.12

[Buildroot] [PATCH] package/sdl2_image: security bump to version 2.8.12

[Peter Korsgaard]

Fixes the following security issue (in 2.8.10):

CVE-2026-35444: Heap buffer overflow READ via unchecked colormap index in
XCF loader

https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7

In addition, 2.8.12 includes a number of memory related bugfixes:

Fixed memory overflow with corrupt LBM image
Fixed crash when decoding an invalid XCF image
Fixed out of bound read in GIF decoder

Update hash of license file for change of copyright year with:
https://github.com/libsdl-org/SDL_image/commit/281b4ebcb02b106995a0c7fc21f689c160d3fefd

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/sdl2_image/sdl2_image.hash | 4 ++--
 package/sdl2_image/sdl2_image.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/sdl2_image/sdl2_image.hash b/package/sdl2_image/sdl2_image.hash
index 9d5ae395cd..16b78fea11 100644
--- a/package/sdl2_image/sdl2_image.hash
+++ b/package/sdl2_image/sdl2_image.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  f7c06a8783952cfe960adccdd3d8472b63ab31475b4390d10cfdcc1aea61238f  SDL2_image-2.8.4.tar.gz
-sha256  a0e8ce06504966e45088ee1cc7583cc8af9aac615d4cf56d47d847da9cb15139  LICENSE.txt
+sha256  393f5efb50536ec13ca4f4affb69cc9966d3c3f969e6c5e701faddf9f9785381  SDL2_image-2.8.12.tar.gz
+sha256  7826eca0a0f7e591f38dd844e207a200aac81a59b20d8a30c3af8c6282af13e6  LICENSE.txt
diff --git a/package/sdl2_image/sdl2_image.mk b/package/sdl2_image/sdl2_image.mk
index e058cd9f74..b31afa0f08 100644
--- a/package/sdl2_image/sdl2_image.mk
+++ b/package/sdl2_image/sdl2_image.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SDL2_IMAGE_VERSION = 2.8.4
+SDL2_IMAGE_VERSION = 2.8.12
 SDL2_IMAGE_SOURCE = SDL2_image-$(SDL2_IMAGE_VERSION).tar.gz
 SDL2_IMAGE_SITE = http://www.libsdl.org/projects/SDL_image/release
 SDL2_IMAGE_INSTALL_STAGING = YES
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/sdl2_image: security bump to version 2.8.12

[Thomas Petazzoni via buildroot]

On Sun, May 31, 2026 at 12:41:42AM +0200, Peter Korsgaard wrote:
> Fixes the following security issue (in 2.8.10):
> 
> CVE-2026-35444: Heap buffer overflow READ via unchecked colormap index in
> XCF loader
> 
> https://github.com/libsdl-org/SDL_image/security/advisories/GHSA-gq8w-x74c-h6p7
> 
> In addition, 2.8.12 includes a number of memory related bugfixes:
> 
> Fixed memory overflow with corrupt LBM image
> Fixed crash when decoding an invalid XCF image
> Fixed out of bound read in GIF decoder
> 
> Update hash of license file for change of copyright year with:
> https://github.com/libsdl-org/SDL_image/commit/281b4ebcb02b106995a0c7fc21f689c160d3fefd
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot