From 9d36f89d60bbb32a40efaf40ab63fd8f0b6966b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= Date: Wed, 11 Oct 2023 15:01:26 +0200 Subject: [PATCH] Drop hardening patches from previous version One of the patches changed a public header breaking the ABI compatibility. The patches removed patches were just for hardening, not required to fix the CVEs, so it is safe to remove them. Resolves: https://issues.redhat.com/browse/RHEL-12414 --- ...-43786-stack-exhaustion-in-XPutImage.patch | 284 ------------------ ...3787-integer-overflow-in-XCreateImag.patch | 35 --- libXpm.spec | 11 +- 3 files changed, 4 insertions(+), 326 deletions(-) delete mode 100644 0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch delete mode 100644 0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch diff --git a/0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch b/0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch deleted file mode 100644 index 4c8e17d..0000000 --- a/0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +++ /dev/null @@ -1,284 +0,0 @@ -From 84fb14574c039f19ad7face87eb9acc31a50701c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Wed, 6 Sep 2023 17:34:33 -0700 -Subject: [PATCH] Avoid CVE-2023-43786: stack exhaustion in XPutImage() - -This doesn't fix the CVE - that has to happen in libX11, this -just tries to avoid triggering it from libXpm, and saves time -in not pretending we can successfully create an X11 pixmap with -dimensions larger than the unsigned 16-bit integers used in the -X11 protocol for the dimensions. - -Reported by Yair Mizrahi of the JFrog Vulnerability Research team - -Signed-off-by: Alan Coopersmith ---- - src/CrPFrBuf.c | 28 +++++++++++++++++++++++----- - src/CrPFrDat.c | 31 +++++++++++++++++++++++-------- - src/CrPFrI.c | 10 +++++++++- - src/RdFToP.c | 28 +++++++++++++++++++++++----- - src/XpmI.h | 2 +- - src/create.c | 28 +++++++++++++++++++++++----- - 6 files changed, 102 insertions(+), 25 deletions(-) - -diff --git a/src/CrPFrBuf.c b/src/CrPFrBuf.c -index 2c28a41..e9e2243 100644 ---- a/src/CrPFrBuf.c -+++ b/src/CrPFrBuf.c -@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer( - Pixmap *shapemask_return, - XpmAttributes *attributes) - { -- XImage *ximage, *shapeimage; -+ XImage *ximage = NULL, *shapeimage = NULL; - int ErrorStatus; - - /* initialize return values */ -@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer( - attributes); - - if (ErrorStatus < 0) /* fatal error */ -- return (ErrorStatus); -+ goto cleanup; - - /* create the pixmaps and destroy images */ - if (pixmap_return && ximage) { -- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -- XDestroyImage(ximage); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -+ if (ErrorStatus < 0) /* fatal error */ -+ goto cleanup; - } - if (shapemask_return && shapeimage) { -- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ } -+ -+ cleanup: -+ if (ximage != NULL) -+ XDestroyImage(ximage); -+ if (shapeimage != NULL) - XDestroyImage(shapeimage); -+ if (ErrorStatus < 0) { -+ if (pixmap_return && *pixmap_return) { -+ XFreePixmap(display, *pixmap_return); -+ *pixmap_return = 0; -+ } -+ if (shapemask_return && *shapemask_return) { -+ XFreePixmap(display, *shapemask_return); -+ *shapemask_return = 0; -+ } - } - return (ErrorStatus); - } -diff --git a/src/CrPFrDat.c b/src/CrPFrDat.c -index b65771d..8622663 100644 ---- a/src/CrPFrDat.c -+++ b/src/CrPFrDat.c -@@ -46,7 +46,7 @@ XpmCreatePixmapFromData( - Pixmap *shapemask_return, - XpmAttributes *attributes) - { -- XImage *ximage, *shapeimage; -+ XImage *ximage = NULL, *shapeimage = NULL; - int ErrorStatus; - - /* initialize return values */ -@@ -63,19 +63,34 @@ XpmCreatePixmapFromData( - attributes); - - if (ErrorStatus != XpmSuccess) -- return (ErrorStatus); -- -- if (ErrorStatus < 0) /* fatal error */ -- return (ErrorStatus); -+ goto cleanup; - - /* create the pixmaps and destroy images */ - if (pixmap_return && ximage) { -- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -- XDestroyImage(ximage); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -+ if (ErrorStatus < 0) /* fatal error */ -+ goto cleanup; - } - if (shapemask_return && shapeimage) { -- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ } -+ -+ cleanup: -+ if (ximage != NULL) -+ XDestroyImage(ximage); -+ if (shapeimage != NULL) - XDestroyImage(shapeimage); -+ if (ErrorStatus < 0) { -+ if (pixmap_return && *pixmap_return) { -+ XFreePixmap(display, *pixmap_return); -+ *pixmap_return = 0; -+ } -+ if (shapemask_return && *shapemask_return) { -+ XFreePixmap(display, *shapemask_return); -+ *shapemask_return = 0; -+ } - } - return (ErrorStatus); - } -diff --git a/src/CrPFrI.c b/src/CrPFrI.c -index 8f6f4aa..f6688c5 100644 ---- a/src/CrPFrI.c -+++ b/src/CrPFrI.c -@@ -36,8 +36,9 @@ - #include - #endif - #include "XpmI.h" -+#include - --void -+int - xpmCreatePixmapFromImage( - Display *display, - Drawable d, -@@ -47,6 +48,11 @@ xpmCreatePixmapFromImage( - GC gc; - XGCValues values; - -+ /* X Pixmaps are limited to unsigned 16-bit height/width */ -+ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) { -+ return XpmNoMemory; -+ } -+ - *pixmap_return = XCreatePixmap(display, d, ximage->width, - ximage->height, ximage->depth); - /* set fg and bg in case we have an XYBitmap */ -@@ -59,4 +65,6 @@ xpmCreatePixmapFromImage( - ximage->width, ximage->height); - - XFreeGC(display, gc); -+ -+ return XpmSuccess; - } -diff --git a/src/RdFToP.c b/src/RdFToP.c -index f829757..2c3e7f9 100644 ---- a/src/RdFToP.c -+++ b/src/RdFToP.c -@@ -46,7 +46,7 @@ XpmReadFileToPixmap( - Pixmap *shapemask_return, - XpmAttributes *attributes) - { -- XImage *ximage, *shapeimage; -+ XImage *ximage = NULL, *shapeimage = NULL; - int ErrorStatus; - - /* initialize return values */ -@@ -62,16 +62,34 @@ XpmReadFileToPixmap( - attributes); - - if (ErrorStatus < 0) /* fatal error */ -- return (ErrorStatus); -+ goto cleanup; - - /* create the pixmaps and destroy images */ - if (pixmap_return && ximage) { -- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -- XDestroyImage(ximage); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -+ if (ErrorStatus < 0) /* fatal error */ -+ goto cleanup; - } - if (shapemask_return && shapeimage) { -- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ } -+ -+ cleanup: -+ if (ximage != NULL) -+ XDestroyImage(ximage); -+ if (shapeimage != NULL) - XDestroyImage(shapeimage); -+ if (ErrorStatus < 0) { -+ if (pixmap_return && *pixmap_return) { -+ XFreePixmap(display, *pixmap_return); -+ *pixmap_return = 0; -+ } -+ if (shapemask_return && *shapemask_return) { -+ XFreePixmap(display, *shapemask_return); -+ *shapemask_return = 0; -+ } - } - return (ErrorStatus); - } -diff --git a/src/XpmI.h b/src/XpmI.h -index ab7a680..6691693 100644 ---- a/src/XpmI.h -+++ b/src/XpmI.h -@@ -195,7 +195,7 @@ FUNC(xpmSetAttributes, void, (XpmAttributes *attributes, XpmImage *image, - XpmInfo *info)); - - #if !defined(FOR_MSW) && !defined(AMIGA) --FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d, -+FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d, - XImage *ximage, Pixmap *pixmap_return)); - - FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, -diff --git a/src/create.c b/src/create.c -index 4921c7d..ec562b2 100644 ---- a/src/create.c -+++ b/src/create.c -@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage( - Pixmap *shapemask_return, - XpmAttributes *attributes) - { -- XImage *ximage, *shapeimage; -+ XImage *ximage = NULL, *shapeimage = NULL; - int ErrorStatus; - - /* initialize return values */ -@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage( - &shapeimage : NULL), - attributes); - if (ErrorStatus < 0) -- return (ErrorStatus); -+ goto cleanup; - - /* create the pixmaps and destroy images */ - if (pixmap_return && ximage) { -- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -- XDestroyImage(ximage); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); -+ if (ErrorStatus < 0) /* fatal error */ -+ goto cleanup; - } - if (shapemask_return && shapeimage) { -- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ ErrorStatus = -+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); -+ } -+ -+ cleanup: -+ if (ximage != NULL) -+ XDestroyImage(ximage); -+ if (shapeimage != NULL) - XDestroyImage(shapeimage); -+ if (ErrorStatus < 0) { -+ if (pixmap_return && *pixmap_return) { -+ XFreePixmap(display, *pixmap_return); -+ *pixmap_return = 0; -+ } -+ if (shapemask_return && *shapemask_return) { -+ XFreePixmap(display, *shapemask_return); -+ *shapemask_return = 0; -+ } - } - return (ErrorStatus); - } --- -2.41.0 - diff --git a/0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch b/0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch deleted file mode 100644 index f744b30..0000000 --- a/0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001 -From: Yair Mizrahi -Date: Thu, 7 Sep 2023 16:59:07 -0700 -Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage) - -This doesn't fix the CVE - that has to happen in libX11, this -just tries to avoid triggering it from libXpm, and saves time -in not pretending we can successfully create an X Image for -which the width * depth would overflow the signed int used to -store the bytes_per_line value. - -Signed-off-by: Alan Coopersmith ---- - src/create.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/create.c b/src/create.c -index ec562b2..b8c80d2 100644 ---- a/src/create.c -+++ b/src/create.c -@@ -997,6 +997,11 @@ CreateXImage( - *image_return = NULL; - return XpmNoMemory; - } -+ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { -+ XDestroyImage(*image_return); -+ *image_return = NULL; -+ return XpmNoMemory; -+ } - /* now that bytes_per_line must have been set properly alloc data */ - if((*image_return)->bytes_per_line == 0 || height == 0) { - XDestroyImage(*image_return); --- -2.41.0 - diff --git a/libXpm.spec b/libXpm.spec index f9ed4ff..ac46961 100644 --- a/libXpm.spec +++ b/libXpm.spec @@ -1,7 +1,7 @@ Summary: X.Org X11 libXpm runtime library Name: libXpm Version: 3.5.13 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT URL: http://www.x.org @@ -26,10 +26,6 @@ Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch # CVE-2023-43789 Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch -# CVE-2023-43786 -Patch0009: 0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch -# CVE-2023-43787 -Patch0010: 0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch %description X.Org X11 libXpm runtime library @@ -52,8 +48,6 @@ X.Org X11 libXpm development package %patch0006 -p1 %patch0007 -p1 %patch0008 -p1 -%patch0009 -p1 -%patch0010 -p1 %build autoreconf -v --install --force @@ -87,6 +81,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la #%{_mandir}/man1/*.1x* %changelog +* Wed Oct 11 2023 José Expósito - 3.5.13-10 +- Drop hardening patches from previous version to keep ABI compatibility + * Wed Oct 11 2023 José Expósito - 3.5.13-9 - CVE-2023-43786 libX11: stack exhaustion from infinite recursion in PutSubImage()