Hi, Please find below the security update to sdl2-image 2.0.4. It fixes the TALOS-2018-0645 code execution vulnerability where a specially crafted XCF image can cause a heap overflow [1]. Official release notes [2] are short, as is the commit history [3]. The latter also mentions an update to the libwebp version.
port-lib-depends-check also revealed that this now links libpng16 instead of libpng. Brief testing done with most of the sdl2-image consumers. No issue observed with any of them except for supertux and that doesn't seem due to sdl2-image: With supertux I get the following error on start: [FATAL] /usr/obj/ports/supertux-0.5.1/SuperTux-v0.5.1-Source/src/supertux/main.cpp:510 Unexpected exception: Couldn't open 'images/engine/icons/supertux-256x256.png': not found This also occurs with sdl2-image-2.0.3p0. This file exists in /usr/local/share/supertux2/images/engine/icons/supertux-256x256.png. Running supertux2 from /usr/local/share/supertux2/ doesn't fix it. With this being the only noticeable issue, I highly doubt that sdl2-image is the problem. CC'd maintainer. I'm planning to add a CVE entry to quirks after this is committed if that's okay. ok? [1] https://talosintelligence.com/vulnerability_reports/TALOS-2018-0645 [2] https://discourse.libsdl.org/t/sdl-image-2-0-4-released/25226 [3] https://hg.libsdl.org/SDL_image/log/b4519566edd3 Index: Makefile =================================================================== RCS file: /cvs/ports/devel/sdl2-image/Makefile,v retrieving revision 1.9 diff -u -p -r1.9 Makefile --- Makefile 11 Mar 2018 22:42:00 -0000 1.9 +++ Makefile 19 Jan 2019 05:46:58 -0000 @@ -1,25 +1,26 @@ # $OpenBSD: Makefile,v 1.9 2018/03/11 22:42:00 sthen Exp $ -V = 2.0.3 +V = 2.0.4 COMMENT = SDL2 image library DISTNAME = SDL2_image-${V} PKGNAME = sdl2-image-${V} CATEGORIES = devel graphics -SHARED_LIBS += SDL2_image 0.1 # 0.3 +SHARED_LIBS += SDL2_image 0.2 # 0.4 HOMEPAGE = https://www.libsdl.org/projects/SDL_image/ -MAINTAINER = Thomas Frohwein <[email protected]> +MAINTAINER = Thomas Frohwein <[email protected]> # zlib PERMIT_PACKAGE_CDROM = Yes MASTER_SITES = https://www.libsdl.org/projects/SDL_image/release/ -WANTLIB += SDL2 jpeg m png pthread sndio tiff usbhid webp z samplerate +WANTLIB += SDL2 jpeg m png16 pthread sndio tiff usbhid webp z samplerate -LIB_DEPENDS = devel/sdl2>=2.0.8 \ +LIB_DEPENDS = audio/libsamplerate \ + devel/sdl2>=2.0.9 \ graphics/jpeg \ graphics/libwebp \ graphics/png \ Index: distinfo =================================================================== RCS file: /cvs/ports/devel/sdl2-image/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo 11 Mar 2018 22:42:00 -0000 1.3 +++ distinfo 19 Jan 2019 05:46:58 -0000 @@ -1,2 +1,2 @@ -SHA256 (SDL2_image-2.0.3.tar.gz) = NRDCXac1/82M47ZQcxUP9Pf5STuGboW4NzgIO1VtI2g= -SIZE (SDL2_image-2.0.3.tar.gz) = 8685512 +SHA256 (SDL2_image-2.0.4.tar.gz) = 507EnCQC6yQvv6FvL0OhlYKnTC6r+/uHPwDUJQA4zqw= +SIZE (SDL2_image-2.0.4.tar.gz) = 11682695 Index: patches/patch-Makefile_in =================================================================== RCS file: /cvs/ports/devel/sdl2-image/patches/patch-Makefile_in,v retrieving revision 1.2 diff -u -p -r1.2 patch-Makefile_in --- patches/patch-Makefile_in 11 Mar 2018 22:42:00 -0000 1.2 +++ patches/patch-Makefile_in 19 Jan 2019 05:46:58 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-Makefile_in,v 1.2 2018/0 Index: Makefile.in --- Makefile.in.orig +++ Makefile.in -@@ -442,12 +442,10 @@ EXTRA_DIST = \ +@@ -463,12 +463,10 @@ EXTRA_DIST = \ @USE_VERSION_RC_FALSE@libSDL2_image_la_LDFLAGS = \ @USE_VERSION_RC_FALSE@ -no-undefined \
