From 2c8b22bb35c82252c3f0c36c1e62635a5e361c31 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 28 Mar 2024 10:41:01 +0000
Subject: [PATCH] import CS libXpm-3.5.13-10.el9

---
 ...88-Out-of-bounds-read-in-XpmCreateXp.patch | 32 +++++++++++++++++
 ...89-Out-of-bounds-read-on-XPM-with-co.patch | 36 +++++++++++++++++++
 SPECS/libXpm.spec                             | 19 +++++++++-
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
 create mode 100644 SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch

diff --git a/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch b/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
new file mode 100644
index 0000000..a2d039b
--- /dev/null
+++ b/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
@@ -0,0 +1,32 @@
+From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 17:50:39 -0700
+Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
+ XpmCreateXpmImageFromBuffer
+
+When the test case for CVE-2022-46285 was run with the Address Sanitizer
+enabled, it found an out-of-bounds read in ParseComment() when reading
+from a memory buffer instead of a file, as it continued to look for the
+closing comment marker past the end of the buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/data.c b/src/data.c
+index 7524e65..0b0f1f3 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
+ 		n++;
+ 		s2++;
+ 	    } while (c == *s2 && *s2 != '\0' && c);
+-	    if (*s2 == '\0') {
++	    if (*s2 == '\0' || c == '\0') {
+ 		/* this is the end of the comment */
+ 		notend = 0;
+ 		data->cptr--;
+-- 
+2.41.0
+
diff --git a/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch b/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
new file mode 100644
index 0000000..789c423
--- /dev/null
+++ b/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
@@ -0,0 +1,36 @@
+From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 18:30:34 -0700
+Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
+ colormap
+
+Found with clang's libfuzzer
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/data.c b/src/data.c
+index 0b0f1f3..6e87455 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -259,13 +259,13 @@ xpmNextWord(
+     int c;
+ 
+     if (!data->type || data->type == XPMBUFFER) {
+-	while (isspace(c = *data->cptr) && c != data->Eos)
++	while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
+ 	    data->cptr++;
+ 	do {
+ 	    c = *data->cptr++;
+ 	    *buf++ = c;
+ 	    n++;
+-	} while (!isspace(c) && c != data->Eos && n < buflen);
++	} while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
+ 	n--;
+ 	data->cptr--;
+     } else {
+-- 
+2.41.0
+
diff --git a/SPECS/libXpm.spec b/SPECS/libXpm.spec
index 5f88dab..ac46961 100644
--- a/SPECS/libXpm.spec
+++ b/SPECS/libXpm.spec
@@ -1,7 +1,7 @@
 Summary: X.Org X11 libXpm runtime library
 Name: libXpm
 Version: 3.5.13
-Release: 8%{?dist}
+Release: 10%{?dist}
 License: MIT
 URL: http://www.x.org
 
@@ -22,6 +22,10 @@ Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch
 Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
 Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
 Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
+# CVE-2023-43788
+Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
+# CVE-2023-43789
+Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
 
 %description
 X.Org X11 libXpm runtime library
@@ -42,6 +46,8 @@ X.Org X11 libXpm development package
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
+%patch0007 -p1
+%patch0008 -p1
 
 %build
 autoreconf -v --install --force
@@ -75,6 +81,17 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 #%{_mandir}/man1/*.1x*
 
 %changelog
+* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.13-10
+- Drop hardening patches from previous version to keep ABI compatibility
+
+* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.13-9
+- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
+  in PutSubImage()
+- CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
+  a heap overflow
+- CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
+- CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
+
 * Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.13-8
 - Fix CVE-2022-46285: infinite loop on unclosed comments (#2160230)
 - Fix CVE-2022-44617: runaway loop with width of 0 (#2160232)