openSUSE-SU-2017:1139-1

Описание

This update for feh on Leap 42.1 fixes this security issue:

• CVE-2017-7875: In wallpaper.c in feh if a malicious client pretended to be the E17 window manager, it was possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free (bsc#1034567).

This update for feh on Leap 42.2 to version 2.18.3 fixes several issues.

This security issue was fixed on Leap 42.2:

• CVE-2017-7875: In wallpaper.c in feh if a malicious client pretended to be the E17 window manager, it was possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free (bsc#1034567).

These non-security issue was fixed on Leap 42.2:

• boo#955576: added jpegexiforient
• Fixed image-specific format specifiers not being updated correctly in thumbnail mode window titles
• Fixed memory leak when closing images opened from thumbnail mode
• Fixed a possible out of bounds read caused by an unterminated string when using --output to save images in long paths
• Fixed out of bounds read/write when handling empty or broken caption files.
• Fixed memory leak when saving a filelist or image whose target filename already exists.
• Fixed image-specific format specifiers not being updated correctly
• New key binding: ! - zoom_fill (zoom to fill window, may cut off image parts
• Disable EXIF-based auto rotation by default
• Added --auto-rotate option to enable auto rotation
• Added feh-makefile_app.patch -- fix install location of icons
• Install feh icon (both 48x48 and scalable SVG) to /usr/share/icons when running 'make install app=1'
• Fixed --sort not being respected after the first reload when used in conjunction with --reload
• All key actions can now also be bound to a button by specifying them in .config/feh/buttons. However, note that button actions can not be bound to keys.
• Rename 'menu' key action to 'toggle_menu', 'prev' to 'prev_img' and 'next' to 'next_img'. The old names are still supported, but no longer documented.
• feh now also sets the X11 _NET_WM_PID and WM_CLIENT_MACHINE window properties
• Fixed compilation on systems where HOST_NAME_MAX is not defined
• Also support in-place editing for images loaded via libcurl or imagemagick. Results will not be written back to disk in this case.
• Fixed crash when trying to rotate a JPEG image without having jpegtran / jpegexiforient installed
• Handle failing fork() calls gracefully
• Fixed invalid key/button definitions mis-assigning keys/buttons to other actions
• Added sort mode --sort dirname to sort images by directory instead of by name.
• Added navigation keys next_dir (]) and prev_dir ([) to jump to the first image of the nex/previous directory
• Fixed toggle_filenames key displaying wrong file numbers in multiwindow mode
• Rescale image when resizing a window and --scale-down or --geometry is active.
• Fixed --keep-zoom-vp not keeping the viewport x/y offsets
• Fixed w (size_to_image) key not updating window size when --scale-down or --geometry is active
• Added --insecure option to disable HTTPS certificate checks
• Added --no-recursive option to disable recursive directory expansion.
• Improve --scale-down in tiling environments.
• --action and --action[1..9] now support action titles
• -f / --filelist: Do not print useless error message when a correct filelist file is specified
• -f / --filelist: Fix bug in '-' / '/dev/stdin' handling affecting feh running in ksh and possibly other environments
• Add --xinerama-index option for background setting
• When removing the last image in slidsehow mode, stay on the last (previously second-to-last) image
• Allow --sort and --randomize to override each other (most recently specified option wins) instead of always preferring --sort
• Thumbnail mode: Mark image as processed when executing an action (--action) by clicking on an image
• It is now possible to override feh's idea of the active xinerama screen using the --xinerama-index option
• Removed (undocumented) feature allowing to override feh's idea of the active xinerama screen by setting the XINERAMA_SCREEN environment variable
• Removed obsolete gpg macro