Debian has issued an advisory on April 28: https://www.debian.org/security/2018/dsa-4184 We previously fixed CVE-2017-2887, but the other issues are new. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Status comment: (none) => Patches available from Debian
Patched package submitted to the BS as 1.2.12-9.2mga6.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
libSDL_image1.2_0-1.2.12-9.2.mga6 libSDL_image-devel-1.2.12-9.2.mga6 libSDL_image1.2_0-test-1.2.12-9.2.mga6 from SDL_image-1.2.12-9.2.mga6.src.rpm from commit http://svnweb.mageia.org/packages?view=revision&revision=1231486 Thanks! I'll get to the advisory later.
Thanks again! I also pushed the fixes to Mageia 5. Sorry this took so long. Advisory: ======================== Updated SDL_image packages fix security vulnerabilities: Multiple vulnerabilities have been discovered in the image loading library for Simple DirectMedia Layer 1.2, which could result in denial of service or the execution of arbitrary code if malformed image files are opened (CVE-2017-12122, CVE-2017-14440, CVE-2017-14441, CVE-2017-14442, CVE-2017-14448, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14440 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14441 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14442 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14448 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14450 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3837 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3839 https://www.debian.org/security/2018/dsa-4184 ======================== Updated packages in core/updates_testing: ======================== libSDL_image1.2_0-1.2.12-8.2.mga5 libSDL_image-devel-1.2.12-8.2.mga5 libSDL_image1.2_0-test-1.2.12-8.2.mga5 libSDL_image1.2_0-1.2.12-9.2.mga6 libSDL_image-devel-1.2.12-9.2.mga6 libSDL_image1.2_0-test-1.2.12-9.2.mga6 from SRPMS: SDL_image-1.2.12-8.2.mga5.src.rpm SDL_image-1.2.12-9.2.mga6.src.rpm
CC: (none) => shlomifWhiteboard: (none) => MGA5TOOAssignee: shlomif => qa-bugs
MGA5-32 on Dell Latitude D600 Xfce No installation issues Ref bug 22650 Comments 10 and 11 for tests Used grafx2 to display a jpeg file and save it as a png. Viewing results with ristretto clearly shows the reduction of number of colors in the png file. The jpg file was 4.5Mb, the resulting png 2.5Mb. OK for me.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
If nobody else does, I shall run this by Mageia 6 tomorrow.
CC: (none) => tarazed25
Keywords: (none) => advisoryCC: (none) => davidwhodgins
MGA6-32 I don't see the updated packages. Usually the Belgian mirror is at most 24h behind, but not that much. And I've been able to do the MGA5 test????
$ urpmq -i lib64SDL_image1.2_0|grep ^Source |sort -V|tail -n 1 Source RPM : SDL_image-1.2.12-9.2.mga6.src.rpm (This is with the princeton mirror) $ rpm -q -i lib64SDL_image1.2_0|grep 'Build Date' Build Date : 2018-05-22T05:49:47 EDT Note that on 32 bit, libSDL_image1.2_0 is available from SDL_image-1.2.12-9.2.mga6.src.rpm Tested with tuxpaint. Validating the update
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0276.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED