security update: devel/sdl2-image-2.0.5

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

security update: devel/sdl2-image-2.0.5

Thomas Frohwein-2
Hi,

Below is the diff to update sdl2-image to 2.0.5. Like typical for this
port, there's a bunch of security issues addressed with this update:

   TALOS-2019-0820 (CVE-2019-5051)
   TALOS-2019-0821 (CVE-2019-5052)
   TALOS-2019-0841
   TALOS-2019-0842
   TALOS-2019-0843
   TALOS-2019-0844

(0841 through 0844 are apparently undisclosed zeroday vulns per [1].)

I also updates external libs to libpng 1.6.32 and libwebp 1.0.2. Our
libwebp port however is only 1.0.0. Nonetheless, I didn't encounter any
issues during (limited) testing of the consumers.

I identified all consumers via sqlports.
Tested the following consumers briefly without any issues:

games/barony
games/blobwars
games/cataclysm-dda
games/chromium-bsu
games/colobot/colobot
games/flare
games/fnaify
games/freedink
games/freeserf
games/hedgewars
games/koboredux
games/manaplus
games/mirrormagic
games/pioneer
games/redeclipse
games/rocksndiamonds
games/sdlpop
games/solarus (tested with zsdx)
games/starfighter
games/stone-soup
games/supertux
games/tbftss
games/tome4
games/wesnoth
games/widelands
graphics/grafx2
sysutils/gource

I didn't test the following consumers because of lack of required data
files:

games/fifechan
games/fifengine
x11/cegui
sysutils/logstalgia

No change to lib version because check_sym:

/usr/local/lib/libSDL2_image.so.0.1 --> /usr/ports/pobj/sdl2-image-2.0.5/SDL2_image-2.0.5/.libs/libSDL2_image.so.0.2
No dynamic export changes

Official release notes can be found at [2].
Update license marker while here.

ok?

OK to also backport this to -stable?

[1] https://www.talosintelligence.com/vulnerability_info
[2] https://www.libsdl.org/projects/SDL_image/

Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/sdl2-image/Makefile,v
retrieving revision 1.12
diff -u -p -r1.12 Makefile
--- Makefile 17 May 2019 16:45:25 -0000 1.12
+++ Makefile 11 Jul 2019 19:24:46 -0000
@@ -1,11 +1,10 @@
 # $OpenBSD: Makefile,v 1.12 2019/05/17 16:45:25 sthen Exp $
 
-V = 2.0.4
+V = 2.0.5
 COMMENT = SDL2 image library
 DISTNAME = SDL2_image-${V}
 PKGNAME = sdl2-image-${V}
 CATEGORIES = devel graphics
-REVISION = 0
 
 SHARED_LIBS += SDL2_image 0.1 # 0.4
 
@@ -14,12 +13,11 @@ HOMEPAGE = https://www.libsdl.org/projec
 MAINTAINER = Thomas Frohwein <[hidden email]>
 
 # zlib
-PERMIT_PACKAGE_CDROM = Yes
+PERMIT_PACKAGE = Yes
 
 WANTLIB += SDL2 jpeg m png pthread samplerate sndio tiff usbhid webp z
 
 MASTER_SITES = https://www.libsdl.org/projects/SDL_image/release/
-
 
 LIB_DEPENDS = devel/sdl2>=2.0.8 \
  graphics/jpeg \
Index: distinfo
===================================================================
RCS file: /cvs/ports/devel/sdl2-image/distinfo,v
retrieving revision 1.4
diff -u -p -r1.4 distinfo
--- distinfo 20 Jan 2019 23:37:36 -0000 1.4
+++ distinfo 11 Jul 2019 19:24:46 -0000
@@ -1,2 +1,2 @@
-SHA256 (SDL2_image-2.0.4.tar.gz) = 507EnCQC6yQvv6FvL0OhlYKnTC6r+/uHPwDUJQA4zqw=
-SIZE (SDL2_image-2.0.4.tar.gz) = 11682695
+SHA256 (SDL2_image-2.0.5.tar.gz) = vdX24CZoL31+G+C2BRsgnaL0AqLdi9HEvZwlrSYxCNA=
+SIZE (SDL2_image-2.0.5.tar.gz) = 11736518

Reply | Threaded
Open this post in threaded view
|

Re: security update: devel/sdl2-image-2.0.5

Stuart Henderson
On 2019/07/11 14:03, Thomas Frohwein wrote:

> Hi,
>
> Below is the diff to update sdl2-image to 2.0.5. Like typical for this
> port, there's a bunch of security issues addressed with this update:
>
>    TALOS-2019-0820 (CVE-2019-5051)
>    TALOS-2019-0821 (CVE-2019-5052)
>    TALOS-2019-0841
>    TALOS-2019-0842
>    TALOS-2019-0843
>    TALOS-2019-0844
>
> (0841 through 0844 are apparently undisclosed zeroday vulns per [1].)

OK sthen@, also OK for stable with the original PERMIT_PACKAGE_CDROM line.