openSUSE Security Update: Security update for SDL_image ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:2109-1 Rating: moderate References: #1124827 #1140421 #1141844 #1143763 #1143764 #1143766 #1143768 Cross-References: CVE-2019-13616 CVE-2019-5052 CVE-2019-5057 CVE-2019-5058 CVE-2019-5059 CVE-2019-5060 CVE-2019-7635 Affected Products: openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15 ______________________________________________________________________________ An update that fixes 7 vulnerabilities is now available. Description: This update for SDL_image fixes the following issues: Update SDL_Image to new snapshot 1.2.12+hg695. Security issues fixed: * TALOS-2019-0821 CVE-2019-5052: exploitable integer overflow vulnerability when loading a PCX file (boo#1140421) * TALOS-2019-0841 CVE-2019-5057: code execution vulnerability in the PCX image-rendering functionality of SDL2_image (boo#1143763) * TALOS-2019-0842 CVE-2019-5058: heap overflow in XCF image rendering can lead to code execution (boo#1143764) * TALOS-2019-0843 CVE-2019-5059: heap overflow in XPM image handling (boo#1143766) * TALOS-2019-0844 CVE-2019-5060: integer overflow in the XPM image (boo#1143768) * CVE-2019-7635: heap-based buffer over-read in Blit1to4 in video/SDL_blit_1.c (boo#1124827) * CVE-2019-13616: fix heap buffer overflow when reading a crafted bmp file (boo#1141844). This update was imported from the openSUSE:Leap:15.0:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2019-2109=1 - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2019-2109=1 Package List: - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64): SDL_image-debugsource-1.2.12+hg695-bp151.4.3.1 libSDL_image-1_2-0-1.2.12+hg695-bp151.4.3.1 libSDL_image-1_2-0-debuginfo-1.2.12+hg695-bp151.4.3.1 libSDL_image-devel-1.2.12+hg695-bp151.4.3.1 - openSUSE Backports SLE-15-SP1 (aarch64_ilp32): libSDL_image-1_2-0-64bit-1.2.12+hg695-bp151.4.3.1 libSDL_image-1_2-0-64bit-debuginfo-1.2.12+hg695-bp151.4.3.1 libSDL_image-devel-64bit-1.2.12+hg695-bp151.4.3.1 - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64): libSDL_image-1_2-0-1.2.12+hg695-bp150.3.3.1 libSDL_image-devel-1.2.12+hg695-bp150.3.3.1 - openSUSE Backports SLE-15 (aarch64_ilp32): libSDL_image-1_2-0-64bit-1.2.12+hg695-bp150.3.3.1 libSDL_image-devel-64bit-1.2.12+hg695-bp150.3.3.1 References: https://www.suse.com/security/cve/CVE-2019-13616.html https://www.suse.com/security/cve/CVE-2019-5052.html https://www.suse.com/security/cve/CVE-2019-5057.html https://www.suse.com/security/cve/CVE-2019-5058.html https://www.suse.com/security/cve/CVE-2019-5059.html https://www.suse.com/security/cve/CVE-2019-5060.html https://www.suse.com/security/cve/CVE-2019-7635.html https://bugzilla.suse.com/1124827 https://bugzilla.suse.com/1140421 https://bugzilla.suse.com/1141844 https://bugzilla.suse.com/1143763 https://bugzilla.suse.com/1143764 https://bugzilla.suse.com/1143766 https://bugzilla.suse.com/1143768 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org