diff --git a/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch b/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch new file mode 100644 index 0000000..30cf7f7 --- /dev/null +++ b/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch @@ -0,0 +1,37 @@ +From c6cd85b7d0a725552a7277748504a33f0fc3e121 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH libXpm 1/6] Fix CVE-2022-46285: Infinite loop on unclosed + comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.39.0 + diff --git a/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch b/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch new file mode 100644 index 0000000..b46b42a --- /dev/null +++ b/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch @@ -0,0 +1,151 @@ +From 0a1959b3b061d2e6d0a512e83035d84e5828f388 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 7 Jan 2023 12:44:28 -0800 +Subject: [PATCH libXpm 2/6] Fix CVE-2022-44617: Runaway loop with width of 0 + and enormous height + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +image has a width of 0 and a very large height, the ParsePixels() function +will loop over the entire height calling getc() and ungetc() repeatedly, +or in some circumstances, may loop seemingly forever, which may cause a +denial of service to the calling program when given a small crafted XPM +file to parse. + +Closes: #2 + +Reported-by: Martin Ettl +Signed-off-by: Alan Coopersmith +--- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/src/data.c b/src/data.c +index bfad4ff..7524e65 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -195,19 +195,23 @@ xpmNextString(xpmData *data) + register char c; + + /* get to the end of the current string */ +- if (data->Eos) +- while ((c = *data->cptr++) && c != data->Eos); ++ if (data->Eos) { ++ while ((c = *data->cptr++) && c != data->Eos && c != '\0'); ++ ++ if (c == '\0') ++ return XpmFileInvalid; ++ } + + /* + * then get to the beginning of the next string looking for possible + * comment + */ + if (data->Bos) { +- while ((c = *data->cptr++) && c != data->Bos) ++ while ((c = *data->cptr++) && c != data->Bos && c != '\0') + if (data->Bcmt && c == data->Bcmt[0]) + ParseComment(data); + } else if (data->Bcmt) { /* XPM2 natural */ +- while ((c = *data->cptr++) == data->Bcmt[0]) ++ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') + ParseComment(data); + data->cptr--; + } +@@ -216,9 +220,13 @@ xpmNextString(xpmData *data) + FILE *file = data->stream.file; + + /* get to the end of the current string */ +- if (data->Eos) ++ if (data->Eos) { + while ((c = Getc(data, file)) != data->Eos && c != EOF); + ++ if (c == EOF) ++ return XpmFileInvalid; ++ } ++ + /* + * then get to the beginning of the next string looking for possible + * comment +@@ -234,7 +242,7 @@ xpmNextString(xpmData *data) + Ungetc(data, c, file); + } + } +- return 0; ++ return XpmSuccess; + } + + +diff --git a/src/parse.c b/src/parse.c +index 613529e..606789d 100644 +--- a/src/parse.c ++++ b/src/parse.c +@@ -427,6 +427,13 @@ ParsePixels( + { + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ + unsigned int a, x, y; ++ int ErrorStatus; ++ ++ if ((width == 0) && (height != 0)) ++ return (XpmFileInvalid); ++ ++ if ((height == 0) && (width != 0)) ++ return (XpmFileInvalid); + + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) +@@ -464,7 +471,11 @@ ParsePixels( + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int c = xpmGetC(data); + +@@ -511,7 +522,11 @@ do \ + } + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int cc1 = xpmGetC(data); + if (cc1 > 0 && cc1 < 256) { +@@ -551,7 +566,11 @@ do \ + xpmHashAtom *slot; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +@@ -571,7 +590,11 @@ do \ + } + } else { + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +-- +2.39.0 + diff --git a/0003-Prevent-a-double-free-in-the-error-code-path.patch b/0003-Prevent-a-double-free-in-the-error-code-path.patch new file mode 100644 index 0000000..92c25d6 --- /dev/null +++ b/0003-Prevent-a-double-free-in-the-error-code-path.patch @@ -0,0 +1,39 @@ +From ad5a88046266478c2c9600f6d8a11ab707cb4c7e Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Jan 2023 15:05:39 +1000 +Subject: [PATCH libXpm 3/6] Prevent a double free in the error code path + +xpmParseDataAndCreate() calls XDestroyImage() in the error path. +Reproducible with sxpm "zero-width.xpm", that file is in the test/ +directory. + +The same approach is needed in the bytes_per_line == 0 condition though +here it just plugs a memory leak. +--- + src/create.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/create.c b/src/create.c +index a750846..0f3735c 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -994,11 +994,15 @@ CreateXImage( + #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; + } + /* now that bytes_per_line must have been set properly alloc data */ +- if((*image_return)->bytes_per_line == 0 || height == 0) ++ if((*image_return)->bytes_per_line == 0 || height == 0) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; ++ } + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); + +-- +2.39.0 + diff --git a/0004-configure-add-disable-open-zfile-instead-of-requirin.patch b/0004-configure-add-disable-open-zfile-instead-of-requirin.patch new file mode 100644 index 0000000..06f91b4 --- /dev/null +++ b/0004-configure-add-disable-open-zfile-instead-of-requirin.patch @@ -0,0 +1,95 @@ +From 6fd1ea0d559a433aecccb21b63e91776e05a0831 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 5 Jan 2023 15:42:36 -0800 +Subject: [PATCH libXpm 4/6] configure: add --disable-open-zfile instead of + requiring -DNO_ZPIPE + +Documents the two compression options in the README, makes their +configure options reflect the interdependency of their implementation, +and makes the configure script report their configuration. + +Signed-off-by: Alan Coopersmith +--- + README.md | 15 +++++++++++++++ + configure.ac | 36 +++++++++++++++++++++++------------- + 2 files changed, 38 insertions(+), 13 deletions(-) + +diff --git a/README.md b/README.md +index f661e15..f3f4c93 100644 +--- a/README.md ++++ b/README.md +@@ -16,3 +16,18 @@ For patch submission instructions, see: + + https://www.x.org/wiki/Development/Documentation/SubmittingPatches + ++------------------------------------------------------------------------------ ++ ++libXpm supports two optional features to handle compressed pixmap files. ++ ++--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz ++and open a pipe to the appropriate command to compress the file when writing ++and uncompress the file when reading. This is enabled by default on platforms ++other than MinGW and can be disabled by passing the --disable-open-zfile flag ++to the configure script. ++ ++--enable-stat-zfile make libXpm search for a file name with .Z or .gz added ++if it can't find the file it was asked to open. It relies on the ++--enable-open-zfile feature to open the file, and is enabled by default ++when --enable-open-zfile is enabled, and can be disabled by passing the ++--disable-stat-zfile flag to the configure script. +diff --git a/configure.ac b/configure.ac +index 365544b..85e2c73 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++# Optional feature: When a filename ending in .Z or .gz is requested, ++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# handle it. ++AC_MSG_CHECKING([whether to handle compressed pixmaps]) ++case $host_os in ++ *mingw*) zpipe_default="no" ;; ++ *) zpipe_default="yes" ;; ++esac ++AC_ARG_ENABLE(open-zfile, ++ AS_HELP_STRING([--enable-open-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes]) ++AC_MSG_RESULT([$OPEN_ZFILE]) ++if test x$OPEN_ZFILE = xno ; then ++ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++fi ++ + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz + # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile ++AC_MSG_CHECKING([whether to search for compressed pixmaps]) + AC_ARG_ENABLE(stat-zfile, +- AS_HELP_STRING([--enable-stat-zfile], +- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]), +- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes]) ++ AS_HELP_STRING([--enable-stat-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE]) ++AC_MSG_RESULT([$STAT_ZFILE]) + if test x$STAT_ZFILE = xyes ; then +- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) ++ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) + fi + +- +-case $host_os in +- *mingw*) +- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +- ;; +- *) +- ;; +-esac +- + AC_CONFIG_FILES([Makefile + doc/Makefile + include/Makefile +-- +2.39.0 + diff --git a/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch b/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch new file mode 100644 index 0000000..7ba81de --- /dev/null +++ b/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch @@ -0,0 +1,144 @@ +From cdbc3fa8edc5b42391a5f2bfe1a8f6099929acf7 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: [PATCH libXpm 5/6] Fix CVE-2022-4883: compression commands depend on + $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +--- + README.md | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +diff --git a/README.md b/README.md +index f3f4c93..0b1c886 100644 +--- a/README.md ++++ b/README.md +@@ -31,3 +31,15 @@ if it can't find the file it was asked to open. It relies on the + --enable-open-zfile feature to open the file, and is enabled by default + when --enable-open-zfile is enabled, and can be disabled by passing the + --disable-stat-zfile flag to the configure script. ++ ++All of these commands will be executed with whatever userid & privileges the ++function is called with, relying on the caller to ensure the correct euid, ++egid, etc. are set before calling. ++ ++To reduce risk, the paths to these commands are now set at configure time to ++the first version found in the PATH used to run configure, and do not depend ++on the PATH environment variable set at runtime. ++ ++To specify paths to be used for these commands instead of searching $PATH, pass ++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP ++variables to the configure command. +diff --git a/configure.ac b/configure.ac +index 85e2c73..4fc370d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++dnl Helper macro to find absolute path to program and add a #define for it ++AC_DEFUN([XPM_PATH_PROG],[ ++AC_PATH_PROG([$1], [$2], []) ++AS_IF([test "x$$1" = "x"], ++ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])]) ++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) ++]) dnl End of AC_DEFUN([XPM_PATH_PROG]... ++ + # Optional feature: When a filename ending in .Z or .gz is requested, + # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to + # handle it. +@@ -64,6 +72,12 @@ AC_ARG_ENABLE(open-zfile, + AC_MSG_RESULT([$OPEN_ZFILE]) + if test x$OPEN_ZFILE = xno ; then + AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++else ++ XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) ++ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) ++ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) ++ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) ++ AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz +diff --git a/src/RdFToI.c b/src/RdFToI.c +index bd09611..a91d337 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); + } + else + #endif /* z-files */ +diff --git a/src/WrFFrI.c b/src/WrFFrI.c +index 328c987..d59098f 100644 +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -342,10 +342,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif +-- +2.39.0 + diff --git a/0006-Use-gzip-d-instead-of-gunzip.patch b/0006-Use-gzip-d-instead-of-gunzip.patch new file mode 100644 index 0000000..ec399bc --- /dev/null +++ b/0006-Use-gzip-d-instead-of-gunzip.patch @@ -0,0 +1,68 @@ +From 999005133c928c841e98600c00e12d4c05846c91 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 16 Jan 2023 19:44:52 +1000 +Subject: [PATCH libXpm 6/6] Use gzip -d instead of gunzip + +GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call +/usr/bin/gunzip with the correct built-in path, the actual gzip call +will use whichever gzip it finds first, making our patch pointless. + +Fix this by explicitly calling gzip -d instead. + +[1] https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in + +Signed-off-by: Peter Hutterer +--- + README.md | 2 +- + configure.ac | 3 +-- + src/RdFToI.c | 2 +- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/README.md b/README.md +index 0b1c886..d906954 100644 +--- a/README.md ++++ b/README.md +@@ -41,5 +41,5 @@ the first version found in the PATH used to run configure, and do not depend + on the PATH environment variable set at runtime. + + To specify paths to be used for these commands instead of searching $PATH, pass +-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP ++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP + variables to the configure command. +diff --git a/configure.ac b/configure.ac +index 4fc370d..5535998 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) + ]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + + # Optional feature: When a filename ending in .Z or .gz is requested, +-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# open a pipe to a newly forked compress/uncompress/gzip command to + # handle it. + AC_MSG_CHECKING([whether to handle compressed pixmaps]) + case $host_os in +@@ -76,7 +76,6 @@ else + XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) +- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + +diff --git a/src/RdFToI.c b/src/RdFToI.c +index a91d337..141c485 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -251,7 +251,7 @@ OpenReadFile( + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); + } + else + #endif /* z-files */ +-- +2.39.0 + diff --git a/libXpm.spec b/libXpm.spec index 834f705..5f88dab 100644 --- a/libXpm.spec +++ b/libXpm.spec @@ -1,7 +1,7 @@ Summary: X.Org X11 libXpm runtime library Name: libXpm Version: 3.5.13 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT URL: http://www.x.org @@ -11,6 +11,17 @@ BuildRequires: xorg-x11-util-macros BuildRequires: autoconf automake libtool make BuildRequires: gettext BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau) +BuildRequires: ncompress gzip + +# CVE-2022-46285 +Patch0001: 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch +# CVE-2022-44617 +Patch0002: 0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch +# CVE-2022-4883 +Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch +Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch %description X.Org X11 libXpm runtime library @@ -25,6 +36,13 @@ X.Org X11 libXpm development package %prep %setup -q +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 +%patch0006 -p1 + %build autoreconf -v --install --force %configure --disable-static @@ -57,6 +75,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la #%{_mandir}/man1/*.1x* %changelog +* Mon Jan 16 2023 Peter Hutterer - 3.5.13-8 +- Fix CVE-2022-46285: infinite loop on unclosed comments (#2160230) +- Fix CVE-2022-44617: runaway loop with width of 0 (#2160232) +- Fix CVE-2022-4883: compression depends on $PATH (#2160242) + * Mon Aug 09 2021 Mohan Boddu - 3.5.13-7 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688