Security update for SDL2_image (moderate)

An update that fixes 12 vulnerabilities is now available.

Description:

This update for SDL2_image fixes the following issues:

Update to new upstream release 2.0.5.

Security issues fixed:

• TALOS-2019-0820 CVE-2019-5051: exploitable heap-based buffer overflow
  vulnerability when loading a PCX file (boo#1140419)
• TALOS-2019-0821 CVE-2019-5052: exploitable integer overflow
  vulnerability when loading a PCX file (boo#1140421)
• TALOS-2019-0841 CVE-2019-5057: code execution vulnerability in the PCX
  image-rendering functionality of SDL2_image (boo#1143763)
• TALOS-2019-0842 CVE-2019-5058: heap overflow in XCF image rendering can
  lead to code execution (boo#1143764)
• TALOS-2019-0843 CVE-2019-5059: heap overflow in XPM image (boo#1143766)
• TALOS-2019-0844 CVE-2019-5060: integer overflow in the XPM image
  (boo#1143768)

Not mentioned by upstream, but issues seemingly further fixed:

• CVE-2019-12218: NULL pointer dereference in the SDL2_image function
  IMG_LoadPCX_RW (boo#1135789)
• CVE-2019-12217: NULL pointer dereference in the SDL stdio_read function
  (boo#1135787)
• CVE-2019-12220: SDL_image triggers an out-of-bounds read in the SDL
  function SDL_FreePalette_REAL (boo#1135806)
• CVE-2019-12221: a SEGV caused by SDL_image in SDL function SDL_free_REAL
  in stdlib/SDL_malloc.c (boo#1135796)
• CVE-2019-12222: out-of-bounds read triggered by SDL_image in the
  function SDL_InvalidateMap at video/SDL_pixels.c (boo#1136101)
• CVE-2019-13616: fix heap buffer overflow when reading a crafted bmp file
  (boo#1141844).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.1:

  zypper in -t patch openSUSE-2019-2070=1

• openSUSE Leap 15.0:

  zypper in -t patch openSUSE-2019-2070=1