Fedora has issued an advisory on October 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C7QAEI2QV3QGJR5OS43R5U3U47LAHQRO/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Source RPM: sdl2_image-2.0.1-1.mga6.src.rpm => sdl2_image-2.0.1-1.mga6, , mingw-SDL2_image-2.0.1-2.mga6
Source RPM: sdl2_image-2.0.1-1.mga6, , mingw-SDL2_image-2.0.1-2.mga6 => sdl2_image-2.0.1-1.mga6, mingw-SDL2_image-2.0.1-2.mga6
Fixed in Cauldron. As for bug 21882, there is no mingw-SDL2_image in Mageia 5, so there I only need to patch sdl2. Advisory: ========= Updated SDL2_image packages fix security vulnerability An exploitable buffer overflow vulnerability exists in the XCF property handling functionality of SDL_image 2.0.1. A specially crafted xcf file can cause a stack-based buffer overflow resulting in potential code execution. An attacker can provide a specially crafted XCF file to trigger this vulnerability (CVE-2017-2887). References: - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C7QAEI2QV3QGJR5OS43R5U3U47LAHQRO/ RPMs in core/updates_testing: ============================= - mga5: libsdl2_image2.0_0-2.0.0-4.1.mga5 libsdl2_image-devel-2.0.0-4.1.mga5 libsdl2_image-static-devel-2.0.0-4.1.mga5 libsdl2_image2.0_0-test-2.0.0-4.1.mga5 - mga6: libsdl2_image2.0_0-2.0.1-1.1.mga6 libsdl2_image-devel-2.0.1-1.1.mga6 libsdl2_image-static-devel-2.0.1-1.1.mga6 libsdl2_image2.0_0-test-2.0.1-1.1.mga6 mingw32-SDL2_image-2.0.1-2.1.mga6 mingw64-SDL2_image-2.0.1-2.1.mga6 SRPMs in core/updates_testing: ============================== - mga5: sdl2_image-2.0.0-4.1.mga5 - mga6: sdl2_image-2.0.1-1.1.mga6 mingw-SDL2_image-2.0.1-2.1.mga6 Testing procedure: ================== Same as bug 21882, testing applications using SDL2_image for basic functionality should suffice. The patch vulnerability affects XCF support (the GIMP project format), but I don't know which of those applications might be using it, if any. $ urpmf --requires :.*(SDL|sdl)2_image --synthesis /tmp/synthesis.hdlist.cz | sort blobwars:pkgconfig(SDL2_image) caveexpress:pkgconfig(SDL2_image) cdogs-sdl:pkgconfig(SDL2_image) chromium-bsu:pkgconfig(SDL2_image) colobot:pkgconfig(SDL2_image) commandergenius:pkgconfig(SDL2_image) crawl:pkgconfig(SDL2_image) fifechan:pkgconfig(SDL2_image) fife:pkgconfig(SDL2_image) gambas3:pkgconfig(SDL2_image) gource:pkgconfig(SDL2_image) keeperrl:pkgconfig(SDL2_image) naev:pkgconfig(SDL2_image) neverball:sdl2_image-devel noteye:pkgconfig(SDL2_image) numptyphysics:pkgconfig(SDL2_image) pioneerspacesim:pkgconfig(SDL2_image) redeclipse:pkgconfig(SDL2_image) rocksndiamonds:pkgconfig(SDL2_image) solarus:pkgconfig(SDL2_image) starfighter:pkgconfig(SDL2_image) supertux:pkgconfig(SDL2_image) t-engine4:pkgconfig(SDL2_image) trigger-rally:pkgconfig(SDL2_image) ufoai:pkgconfig(SDL2_image) vcmi:pkgconfig(SDL2_image) vdrift:pkgconfig(SDL2_image) widelands:pkgconfig(SDL2_image)
Assignee: rverschelde => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Whiteboard: MGA5TOO => MGA5TOO has_procedure
mga6::x86_64 Testing libsdl2 and libsdl2_image together... i.e bugs 21881 and 21882 Installed: - lib64sdl2.0-devel-2.0.5-2.1.mga6.x86_64 - lib64sdl2.0-static-devel-2.0.5-2.1.mga6.x86_64 - lib64sdl2.0_0-2.0.5-2.1.mga6.x86_64 - lib64sdl2_image-devel-2.0.1-1.1.mga6.x86_64 - lib64sdl2_image-static-devel-2.0.1-1.1.mga6.x86_64 - lib64sdl2_image2.0_0-2.0.1-1.1.mga6.x86_64 - lib64sdl2_image2.0_0-test-2.0.1-1.1.mga6.x86_64 - mingw64-SDL2_image-2.0.1-2.1.mga6.noarch vlc was mentioned so I checked that out. Running fine for sound and video and television. Started rocksndiamonds at tutorial level but did not get very far. Looked like it was working though. Tried supertux and after two rounds had amassed the huge score of 47 ;-) No luck with starfighter - utterly destroyed in no time at all. All good fun. Installed a couple more. A bit of the training run in blobwars. Alien Invasion lived up to its name; after installing 1.1GB of software I launched it from the menu and it destroyed the session. The screen went black and flashed grey a few times and once there was a glimpse of the current display. CtrlAltF2. Could not identify the game in top so tried CtrlAltF1 and got back to the X display but it was vastly inflated - what looked like a 640x480 section of the 3k display magnified to fit the whole screen. Tried panning but could not find the game. Reboot from the commandline failed so emergency restart. Not possible to judge whether it works on this machine other than it is definitely not suitable for it. Installed sdl2_mixer-player but then could not find it in the menus. Found /bin/sdl2show and used that to click through a directory of images. $ sdl2show /data/.images/screen/* No problem there. $ urpmf -i /bin/sdl2show lib64sdl2_image2.0_0-test:/usr/bin/sdl2show libsdl2_image2.0_0-test:/usr/bin/sdl2show That will have to do. Maybe other testers can add something.
CC: (none) => tarazed25
mga5::x86_64 - lib64sdl2.0-devel-2.0.3-4.1.mga5.x86_64 - lib64sdl2.0-static-devel-2.0.3-4.1.mga5.x86_64 - lib64sdl2.0_0-2.0.3-4.1.mga5.x86_64 - lib64sdl2_image-devel-2.0.0-4.1.mga5.x86_64 - lib64sdl2_image-static-devel-2.0.0-4.1.mga5.x86_64 - lib64sdl2_image2.0_0-2.0.0-4.1.mga5.x86_64 - lib64sdl2_image2.0_0-test-2.0.0-4.1.mga5.x86_64 Tried sdl2show on various image formats. It supports JPEG, GIF, PNG, XPM but not SVG. It coped with an XCF file produced by the Gimp. It also displayed some xcf icons from smplayer-skins theme directories: Black/open_favorites.xcf Black/tubebrowser.xcf Gonzo/open_favorites.xcf That helps validate bug 21881. Installed supertux-2 and played a couple of rounds at beginners level. Tried neverball easy and found it very difficult but frighteningly addictive. Installed crawl and saw that it pulled in lib64SDL_image1.2_0. Started the tutorial which signed me on as a Skirmisher, explored a bit then crashed out. The games seem to play OK. Leaving it there. Good for 64 bits.
MGA5-32 on Asus A6000VM Xfce No installation issues. Tried supertux (with strace), it started, made noise, the penguin moved around, but I have no feeling for those games, so that was the end of it. Anyway, trace showed: open("/lib/libSDL2_image-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3 so that should be OK.
Whiteboard: MGA5TOO has_procedure => MGA5TOO has_procedure MGA5-32-OKCC: (none) => herman.viaene
Whiteboard: MGA5TOO has_procedure MGA5-32-OK => MGA5TOO has_procedure MGA5-32-OK MGA6-64-OK
Added the 64-bit OK for Mageia 6 because the 21881 and 21882 updates are tested at the same time.
Keywords: (none) => advisory
MGA6-32 on Asus A6000VM MATE No installation issues Following bug 21882 Comment 8, I tried to run sdl2show. I find I have to run sdlshow pointing to a single image file, and in that window I cann't do anything but closing it. At least with jpg. Trying to run a tif results in: $ sdl2show 1973-024slapper-1.tif Couldn't load 1973-024slapper-1.tif: Texture dimensions are limited to 4096x4096 Anyway running: $ sdl2show -save slide1.png slide001.jpg results in a coorect png file. Seems good enough.
Whiteboard: MGA5TOO has_procedure MGA5-32-OK MGA6-64-OK => MGA5TOO has_procedure MGA5-32-OK MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0397.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED