Debian has issued an advisory on April 28:
We previously fixed CVE-2017-2887, but the other issues are new.
Mageia 5 and Mageia 6 are also affected.
Assigning to the registered maintainer.
Patches available from Debian
Patched package submitted to the BS as 1.2.12-9.2mga6.
from commit http://svnweb.mageia.org/packages?view=revision&revision=1231486
Thanks! I'll get to the advisory later.
Thanks again! I also pushed the fixes to Mageia 5. Sorry this took so long.
Updated SDL_image packages fix security vulnerabilities:
Multiple vulnerabilities have been discovered in the image loading library for
Simple DirectMedia Layer 1.2, which could result in denial of service or the
execution of arbitrary code if malformed image files are opened
(CVE-2017-12122, CVE-2017-14440, CVE-2017-14441, CVE-2017-14442,
CVE-2017-14448, CVE-2017-14450, CVE-2018-3837, CVE-2018-3838, CVE-2018-3839).
Updated packages in core/updates_testing:
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
Ref bug 22650 Comments 10 and 11 for tests
Used grafx2 to display a jpeg file and save it as a png.
Viewing results with ristretto clearly shows the reduction of number of colors in the png file. The jpg file was 4.5Mb, the resulting png 2.5Mb.
OK for me.
If nobody else does, I shall run this by Mageia 6 tomorrow.
I don't see the updated packages. Usually the Belgian mirror is at most 24h behind, but not that much. And I've been able to do the MGA5 test????
$ urpmq -i lib64SDL_image1.2_0|grep ^Source |sort -V|tail -n 1
Source RPM : SDL_image-1.2.12-9.2.mga6.src.rpm
(This is with the princeton mirror)
$ rpm -q -i lib64SDL_image1.2_0|grep 'Build Date'
Build Date : 2018-05-22T05:49:47 EDT
Note that on 32 bit, libSDL_image1.2_0 is available from
Tested with tuxpaint. Validating the update
MGA5TOO MGA5-32-OK =>
MGA5TOO MGA5-32-OK MGA6-64-OKCC:
An update for this issue has been pushed to the Mageia Updates repository.