Drop hardening patches from previous version

This commit is contained in:
José Expósito 2023-10-11 15:01:26 +02:00 committed by root
parent a3c0591d4a
commit b90e166e3c
4 changed files with 5 additions and 326 deletions

1
.libXpm.metadata Normal file
View File

@ -0,0 +1 @@
38b1a2728adb49f4e255aba1530f51789815ffc4 libXpm-3.5.13.tar.bz2

View File

@ -1,284 +0,0 @@
From 84fb14574c039f19ad7face87eb9acc31a50701c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 6 Sep 2023 17:34:33 -0700
Subject: [PATCH] Avoid CVE-2023-43786: stack exhaustion in XPutImage()
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X11 pixmap with
dimensions larger than the unsigned 16-bit integers used in the
X11 protocol for the dimensions.
Reported by Yair Mizrahi of the JFrog Vulnerability Research team
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/CrPFrBuf.c | 28 +++++++++++++++++++++++-----
src/CrPFrDat.c | 31 +++++++++++++++++++++++--------
src/CrPFrI.c | 10 +++++++++-
src/RdFToP.c | 28 +++++++++++++++++++++++-----
src/XpmI.h | 2 +-
src/create.c | 28 +++++++++++++++++++++++-----
6 files changed, 102 insertions(+), 25 deletions(-)
diff --git a/src/CrPFrBuf.c b/src/CrPFrBuf.c
index 2c28a41..e9e2243 100644
--- a/src/CrPFrBuf.c
+++ b/src/CrPFrBuf.c
@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer(
attributes);
if (ErrorStatus < 0) /* fatal error */
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
diff --git a/src/CrPFrDat.c b/src/CrPFrDat.c
index b65771d..8622663 100644
--- a/src/CrPFrDat.c
+++ b/src/CrPFrDat.c
@@ -46,7 +46,7 @@ XpmCreatePixmapFromData(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -63,19 +63,34 @@ XpmCreatePixmapFromData(
attributes);
if (ErrorStatus != XpmSuccess)
- return (ErrorStatus);
-
- if (ErrorStatus < 0) /* fatal error */
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
diff --git a/src/CrPFrI.c b/src/CrPFrI.c
index 8f6f4aa..f6688c5 100644
--- a/src/CrPFrI.c
+++ b/src/CrPFrI.c
@@ -36,8 +36,9 @@
#include <config.h>
#endif
#include "XpmI.h"
+#include <stdint.h>
-void
+int
xpmCreatePixmapFromImage(
Display *display,
Drawable d,
@@ -47,6 +48,11 @@ xpmCreatePixmapFromImage(
GC gc;
XGCValues values;
+ /* X Pixmaps are limited to unsigned 16-bit height/width */
+ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) {
+ return XpmNoMemory;
+ }
+
*pixmap_return = XCreatePixmap(display, d, ximage->width,
ximage->height, ximage->depth);
/* set fg and bg in case we have an XYBitmap */
@@ -59,4 +65,6 @@ xpmCreatePixmapFromImage(
ximage->width, ximage->height);
XFreeGC(display, gc);
+
+ return XpmSuccess;
}
diff --git a/src/RdFToP.c b/src/RdFToP.c
index f829757..2c3e7f9 100644
--- a/src/RdFToP.c
+++ b/src/RdFToP.c
@@ -46,7 +46,7 @@ XpmReadFileToPixmap(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -62,16 +62,34 @@ XpmReadFileToPixmap(
attributes);
if (ErrorStatus < 0) /* fatal error */
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
diff --git a/src/XpmI.h b/src/XpmI.h
index ab7a680..6691693 100644
--- a/src/XpmI.h
+++ b/src/XpmI.h
@@ -195,7 +195,7 @@ FUNC(xpmSetAttributes, void, (XpmAttributes *attributes, XpmImage *image,
XpmInfo *info));
#if !defined(FOR_MSW) && !defined(AMIGA)
-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d,
+FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d,
XImage *ximage, Pixmap *pixmap_return));
FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap,
diff --git a/src/create.c b/src/create.c
index 4921c7d..ec562b2 100644
--- a/src/create.c
+++ b/src/create.c
@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage(
Pixmap *shapemask_return,
XpmAttributes *attributes)
{
- XImage *ximage, *shapeimage;
+ XImage *ximage = NULL, *shapeimage = NULL;
int ErrorStatus;
/* initialize return values */
@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage(
&shapeimage : NULL),
attributes);
if (ErrorStatus < 0)
- return (ErrorStatus);
+ goto cleanup;
/* create the pixmaps and destroy images */
if (pixmap_return && ximage) {
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
- XDestroyImage(ximage);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+ if (ErrorStatus < 0) /* fatal error */
+ goto cleanup;
}
if (shapemask_return && shapeimage) {
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ ErrorStatus =
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+ }
+
+ cleanup:
+ if (ximage != NULL)
+ XDestroyImage(ximage);
+ if (shapeimage != NULL)
XDestroyImage(shapeimage);
+ if (ErrorStatus < 0) {
+ if (pixmap_return && *pixmap_return) {
+ XFreePixmap(display, *pixmap_return);
+ *pixmap_return = 0;
+ }
+ if (shapemask_return && *shapemask_return) {
+ XFreePixmap(display, *shapemask_return);
+ *shapemask_return = 0;
+ }
}
return (ErrorStatus);
}
--
2.41.0

View File

@ -1,35 +0,0 @@
From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001
From: Yair Mizrahi <yairm@jfrog.com>
Date: Thu, 7 Sep 2023 16:59:07 -0700
Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage)
This doesn't fix the CVE - that has to happen in libX11, this
just tries to avoid triggering it from libXpm, and saves time
in not pretending we can successfully create an X Image for
which the width * depth would overflow the signed int used to
store the bytes_per_line value.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/create.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/create.c b/src/create.c
index ec562b2..b8c80d2 100644
--- a/src/create.c
+++ b/src/create.c
@@ -997,6 +997,11 @@ CreateXImage(
*image_return = NULL;
return XpmNoMemory;
}
+ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
+ XDestroyImage(*image_return);
+ *image_return = NULL;
+ return XpmNoMemory;
+ }
/* now that bytes_per_line must have been set properly alloc data */
if((*image_return)->bytes_per_line == 0 || height == 0) {
XDestroyImage(*image_return);
--
2.41.0

View File

@ -1,7 +1,7 @@
Summary: X.Org X11 libXpm runtime library
Name: libXpm
Version: 3.5.13
Release: 9%{?dist}
Release: 10%{?dist}
License: MIT
URL: http://www.x.org
@ -26,10 +26,6 @@ Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
# CVE-2023-43789
Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
# CVE-2023-43786
Patch0009: 0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch
# CVE-2023-43787
Patch0010: 0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch
%description
X.Org X11 libXpm runtime library
@ -52,8 +48,6 @@ X.Org X11 libXpm development package
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%build
autoreconf -v --install --force
@ -87,6 +81,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
#%{_mandir}/man1/*.1x*
%changelog
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.13-10
- Drop hardening patches from previous version to keep ABI compatibility
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.13-9
- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
in PutSubImage()