Correct source package tracking for CVE-2019-12221

After further investigation Hugo Lefeuvre found the root cause for he
CVE and can be associated with libsdl2-image and sdl-image1.2.

Thus the explicitly added TODO item can be dropped and source packages
adjusted accordingly.

Details in https://bugzilla.libsdl.org/show_bug.cgi?id=4628#c2