Hello community,
here is the log from the commit of package SDL_image
checked in at Sat Feb 2 00:20:39 CET 2008.
--------
--- SDL_image/SDL_image.changes 2007-12-16 21:31:43.000000000 +0100
+++ SDL_image/SDL_image.changes 2008-01-29 12:09:58.000000000 +0100
@@ -1,0 +2,10 @@
+Tue Jan 29 12:09:41 CET 2008 - prusnak@suse.cz
+
+- fix buffer overflow in LBM code (lbm-overflow.patch) [#355864]
+
+-------------------------------------------------------------------
+Fri Jan 25 12:58:25 CET 2008 - prusnak@suse.cz
+
+- fix buffer overflow in GIF code (gif-overflow.patch) [#355864]
+
+-------------------------------------------------------------------
New:
----
SDL_image-1.2.6-gif-overflow.patch
SDL_image-1.2.6-lbm-overflow.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ SDL_image.spec ++++++
--- /var/tmp/diff_new_pack.Z13743/_old 2008-02-02 00:13:00.000000000 +0100
+++ /var/tmp/diff_new_pack.Z13743/_new 2008-02-02 00:13:00.000000000 +0100
@@ -1,7 +1,7 @@
#
# spec file for package SDL_image (Version 1.2.6)
#
-# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@@ -15,8 +15,10 @@
Url: http://www.libsdl.org/projects/SDL_image/
Summary: Simple DirectMedia Layer--Sample Image Loading Library
Version: 1.2.6
-Release: 46
+Release: 59
Source0: %{name}-%{version}.tar.bz2
+Patch0: %{name}-%{version}-gif-overflow.patch
+Patch1: %{name}-%{version}-lbm-overflow.patch
License: LGPL v2.1 or later
Group: System/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -50,6 +52,8 @@
%prep
%setup -q
+%patch0
+%patch1
%build
%{?suse_update_config:%{suse_update_config -f }}
@@ -59,11 +63,9 @@
%install
make install DESTDIR=$RPM_BUILD_ROOT
-%post
-/sbin/ldconfig
+%post -p /sbin/ldconfig
-%postun
-/sbin/ldconfig
+%postun -p /sbin/ldconfig
%clean
rm -rf $RPM_BUILD_ROOT
@@ -80,9 +82,13 @@
%{_libdir}/lib*.so
%changelog
-* Sun Dec 16 2007 - sndirsch@suse.de
+* Tue Jan 29 2008 prusnak@suse.cz
+- fix buffer overflow in LBM code (lbm-overflow.patch) [#355864]
+* Fri Jan 25 2008 prusnak@suse.cz
+- fix buffer overflow in GIF code (gif-overflow.patch) [#355864]
+* Sun Dec 16 2007 sndirsch@suse.de
- fixed BuildRequires for SUSE < 10.2
-* Wed Jul 25 2007 - prusnak@suse.cz
+* Wed Jul 25 2007 prusnak@suse.cz
- updated to 1.2.6
* PNG and TIFF images are correctly identified even if dynamic
libraries to load them aren't available
@@ -91,59 +97,59 @@
* fixed crash in IMG_ReadXPMFromArray()
- dropped obsolete patch:
* xcfinc.diff (included in update)
-* Sun Jul 22 2007 - aj@suse.de
+* Sun Jul 22 2007 aj@suse.de
- Cleanup build requires.
-* Fri Mar 02 2007 - prusnak@suse.cz
+* Fri Mar 02 2007 prusnak@suse.cz
- cleaned specfile
-* Wed Nov 08 2006 - prusnak@suse.cz
+* Wed Nov 08 2006 prusnak@suse.cz
- increment moved outside of assignement [#218752]
-* Fri Sep 29 2006 - schwab@suse.de
+* Fri Sep 29 2006 schwab@suse.de
- Require libtiff-devel for SDL_image-devel.
-* Tue Sep 12 2006 - nadvornik@suse.cz
+* Tue Sep 12 2006 nadvornik@suse.cz
- updated to 1.2.5:
* Added support for dynamically loading libjpeg, libpng, and libtiff.
* Added gcc-fat.sh for generating Universal binaries on Mac OS X
* Added support for XV thumbnail images
* Added support for 32-bit BMP files with alpha
- fixed requires of devel subpackage [#192736]
-* Fri Mar 10 2006 - bk@suse.de
+* Fri Mar 10 2006 bk@suse.de
- SDL_image-devel: add libstdc++, gcc and gpm to Requires (.la check)
-* Mon Jan 30 2006 - coolo@suse.de
+* Mon Jan 30 2006 coolo@suse.de
- fixing BuildRequires to include png support
-* Wed Jan 25 2006 - mls@suse.de
+* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Tue Jul 19 2005 - nadvornik@suse.cz
+* Tue Jul 19 2005 nadvornik@suse.cz
- updated to 1.2.4
-* Sat Jan 10 2004 - adrian@suse.de
+* Sat Jan 10 2004 adrian@suse.de
- add %%run_ldconfig
-* Fri Jul 25 2003 - nadvornik@suse.cz
+* Fri Jul 25 2003 nadvornik@suse.cz
- update to 1.2.3
-* Wed Jul 03 2002 - nadvornik@suse.cz
+* Wed Jul 03 2002 nadvornik@suse.cz
- updated to 1.2.2
-* Tue Jun 11 2002 - meissner@suse.de
+* Tue Jun 11 2002 meissner@suse.de
- regenerate auto files, removed acinclude.m4 (which only contains
SDL.m4 and libtool.m4).
-* Fri May 10 2002 - ro@suse.de
+* Fri May 10 2002 ro@suse.de
- libdir fixed
-* Fri Feb 01 2002 - ro@suse.de
+* Fri Feb 01 2002 ro@suse.de
- changed neededforbuild <libpng> to <libpng-devel-packages>
-* Tue Jan 22 2002 - ro@suse.de
+* Tue Jan 22 2002 ro@suse.de
- changed neededforbuild <kdelibs-artsd> to <kdelibs3-artsd>
-* Tue Jan 08 2002 - nadvornik@suse.cz
+* Tue Jan 08 2002 nadvornik@suse.cz
- updated to 1.2.1:
- added LBM format
- fixed transparent GIF and PNG
-* Wed Aug 08 2001 - uli@suse.de
+* Wed Aug 08 2001 uli@suse.de
- fixed neededforbuild wrt SDL renaming
-* Wed Jun 20 2001 - nadvornik@suse.cz
+* Wed Jun 20 2001 nadvornik@suse.cz
- added kdelibs and kdelibs-devel to neededforbuild
-* Thu Apr 12 2001 - nadvornik@suse.cz
+* Thu Apr 12 2001 nadvornik@suse.cz
- update to 1.2.0
-* Mon Mar 26 2001 - ro@suse.de
+* Mon Mar 26 2001 ro@suse.de
- changed neededforbuild <sdl> to <sdl sdl-devel>
-* Mon Feb 19 2001 - uli@suse.de
+* Mon Feb 19 2001 uli@suse.de
- added alsa* to neededforbuild (needed by new SDL)
-* Tue Dec 05 2000 - nadvornik@suse.cz
+* Tue Dec 05 2000 nadvornik@suse.cz
- added suse_update_config
-* Tue Nov 28 2000 - nadvornik@suse.cz
+* Tue Nov 28 2000 nadvornik@suse.cz
- new package
++++++ SDL_image-1.2.6-gif-overflow.patch ++++++
--- IMG_gif.c
+++ IMG_gif.c
@@ -418,6 +418,10 @@
static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
register int i;
+ /* Fixed buffer overflow found by Michael Skladnikiewicz */
+ if (input_code_size > MAX_LWZ_BITS)
+ return -1;
+
if (flag) {
set_code_size = input_code_size;
code_size = set_code_size + 1;
++++++ SDL_image-1.2.6-lbm-overflow.patch ++++++
--- IMG_lbm.c
+++ IMG_lbm.c
@@ -28,6 +28,7 @@
EHB and HAM (specific Amiga graphic chip modes) support added by Marc Le Douarain
(http://www.multimania.com/mavati) in December 2003.
Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr) in February 2004.
+ Buffer overflow fix in RLE decompression by David Raulo in January 2008.
*/
#include