Drop hardening patches from previous version
This commit is contained in:
parent
a3c0591d4a
commit
b90e166e3c
1
.libXpm.metadata
Normal file
1
.libXpm.metadata
Normal file
@ -0,0 +1 @@
|
||||
38b1a2728adb49f4e255aba1530f51789815ffc4 libXpm-3.5.13.tar.bz2
|
@ -1,284 +0,0 @@
|
||||
From 84fb14574c039f19ad7face87eb9acc31a50701c Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Wed, 6 Sep 2023 17:34:33 -0700
|
||||
Subject: [PATCH] Avoid CVE-2023-43786: stack exhaustion in XPutImage()
|
||||
|
||||
This doesn't fix the CVE - that has to happen in libX11, this
|
||||
just tries to avoid triggering it from libXpm, and saves time
|
||||
in not pretending we can successfully create an X11 pixmap with
|
||||
dimensions larger than the unsigned 16-bit integers used in the
|
||||
X11 protocol for the dimensions.
|
||||
|
||||
Reported by Yair Mizrahi of the JFrog Vulnerability Research team
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/CrPFrBuf.c | 28 +++++++++++++++++++++++-----
|
||||
src/CrPFrDat.c | 31 +++++++++++++++++++++++--------
|
||||
src/CrPFrI.c | 10 +++++++++-
|
||||
src/RdFToP.c | 28 +++++++++++++++++++++++-----
|
||||
src/XpmI.h | 2 +-
|
||||
src/create.c | 28 +++++++++++++++++++++++-----
|
||||
6 files changed, 102 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/src/CrPFrBuf.c b/src/CrPFrBuf.c
|
||||
index 2c28a41..e9e2243 100644
|
||||
--- a/src/CrPFrBuf.c
|
||||
+++ b/src/CrPFrBuf.c
|
||||
@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer(
|
||||
Pixmap *shapemask_return,
|
||||
XpmAttributes *attributes)
|
||||
{
|
||||
- XImage *ximage, *shapeimage;
|
||||
+ XImage *ximage = NULL, *shapeimage = NULL;
|
||||
int ErrorStatus;
|
||||
|
||||
/* initialize return values */
|
||||
@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer(
|
||||
attributes);
|
||||
|
||||
if (ErrorStatus < 0) /* fatal error */
|
||||
- return (ErrorStatus);
|
||||
+ goto cleanup;
|
||||
|
||||
/* create the pixmaps and destroy images */
|
||||
if (pixmap_return && ximage) {
|
||||
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
- XDestroyImage(ximage);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
+ if (ErrorStatus < 0) /* fatal error */
|
||||
+ goto cleanup;
|
||||
}
|
||||
if (shapemask_return && shapeimage) {
|
||||
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ }
|
||||
+
|
||||
+ cleanup:
|
||||
+ if (ximage != NULL)
|
||||
+ XDestroyImage(ximage);
|
||||
+ if (shapeimage != NULL)
|
||||
XDestroyImage(shapeimage);
|
||||
+ if (ErrorStatus < 0) {
|
||||
+ if (pixmap_return && *pixmap_return) {
|
||||
+ XFreePixmap(display, *pixmap_return);
|
||||
+ *pixmap_return = 0;
|
||||
+ }
|
||||
+ if (shapemask_return && *shapemask_return) {
|
||||
+ XFreePixmap(display, *shapemask_return);
|
||||
+ *shapemask_return = 0;
|
||||
+ }
|
||||
}
|
||||
return (ErrorStatus);
|
||||
}
|
||||
diff --git a/src/CrPFrDat.c b/src/CrPFrDat.c
|
||||
index b65771d..8622663 100644
|
||||
--- a/src/CrPFrDat.c
|
||||
+++ b/src/CrPFrDat.c
|
||||
@@ -46,7 +46,7 @@ XpmCreatePixmapFromData(
|
||||
Pixmap *shapemask_return,
|
||||
XpmAttributes *attributes)
|
||||
{
|
||||
- XImage *ximage, *shapeimage;
|
||||
+ XImage *ximage = NULL, *shapeimage = NULL;
|
||||
int ErrorStatus;
|
||||
|
||||
/* initialize return values */
|
||||
@@ -63,19 +63,34 @@ XpmCreatePixmapFromData(
|
||||
attributes);
|
||||
|
||||
if (ErrorStatus != XpmSuccess)
|
||||
- return (ErrorStatus);
|
||||
-
|
||||
- if (ErrorStatus < 0) /* fatal error */
|
||||
- return (ErrorStatus);
|
||||
+ goto cleanup;
|
||||
|
||||
/* create the pixmaps and destroy images */
|
||||
if (pixmap_return && ximage) {
|
||||
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
- XDestroyImage(ximage);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
+ if (ErrorStatus < 0) /* fatal error */
|
||||
+ goto cleanup;
|
||||
}
|
||||
if (shapemask_return && shapeimage) {
|
||||
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ }
|
||||
+
|
||||
+ cleanup:
|
||||
+ if (ximage != NULL)
|
||||
+ XDestroyImage(ximage);
|
||||
+ if (shapeimage != NULL)
|
||||
XDestroyImage(shapeimage);
|
||||
+ if (ErrorStatus < 0) {
|
||||
+ if (pixmap_return && *pixmap_return) {
|
||||
+ XFreePixmap(display, *pixmap_return);
|
||||
+ *pixmap_return = 0;
|
||||
+ }
|
||||
+ if (shapemask_return && *shapemask_return) {
|
||||
+ XFreePixmap(display, *shapemask_return);
|
||||
+ *shapemask_return = 0;
|
||||
+ }
|
||||
}
|
||||
return (ErrorStatus);
|
||||
}
|
||||
diff --git a/src/CrPFrI.c b/src/CrPFrI.c
|
||||
index 8f6f4aa..f6688c5 100644
|
||||
--- a/src/CrPFrI.c
|
||||
+++ b/src/CrPFrI.c
|
||||
@@ -36,8 +36,9 @@
|
||||
#include <config.h>
|
||||
#endif
|
||||
#include "XpmI.h"
|
||||
+#include <stdint.h>
|
||||
|
||||
-void
|
||||
+int
|
||||
xpmCreatePixmapFromImage(
|
||||
Display *display,
|
||||
Drawable d,
|
||||
@@ -47,6 +48,11 @@ xpmCreatePixmapFromImage(
|
||||
GC gc;
|
||||
XGCValues values;
|
||||
|
||||
+ /* X Pixmaps are limited to unsigned 16-bit height/width */
|
||||
+ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) {
|
||||
+ return XpmNoMemory;
|
||||
+ }
|
||||
+
|
||||
*pixmap_return = XCreatePixmap(display, d, ximage->width,
|
||||
ximage->height, ximage->depth);
|
||||
/* set fg and bg in case we have an XYBitmap */
|
||||
@@ -59,4 +65,6 @@ xpmCreatePixmapFromImage(
|
||||
ximage->width, ximage->height);
|
||||
|
||||
XFreeGC(display, gc);
|
||||
+
|
||||
+ return XpmSuccess;
|
||||
}
|
||||
diff --git a/src/RdFToP.c b/src/RdFToP.c
|
||||
index f829757..2c3e7f9 100644
|
||||
--- a/src/RdFToP.c
|
||||
+++ b/src/RdFToP.c
|
||||
@@ -46,7 +46,7 @@ XpmReadFileToPixmap(
|
||||
Pixmap *shapemask_return,
|
||||
XpmAttributes *attributes)
|
||||
{
|
||||
- XImage *ximage, *shapeimage;
|
||||
+ XImage *ximage = NULL, *shapeimage = NULL;
|
||||
int ErrorStatus;
|
||||
|
||||
/* initialize return values */
|
||||
@@ -62,16 +62,34 @@ XpmReadFileToPixmap(
|
||||
attributes);
|
||||
|
||||
if (ErrorStatus < 0) /* fatal error */
|
||||
- return (ErrorStatus);
|
||||
+ goto cleanup;
|
||||
|
||||
/* create the pixmaps and destroy images */
|
||||
if (pixmap_return && ximage) {
|
||||
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
- XDestroyImage(ximage);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
+ if (ErrorStatus < 0) /* fatal error */
|
||||
+ goto cleanup;
|
||||
}
|
||||
if (shapemask_return && shapeimage) {
|
||||
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ }
|
||||
+
|
||||
+ cleanup:
|
||||
+ if (ximage != NULL)
|
||||
+ XDestroyImage(ximage);
|
||||
+ if (shapeimage != NULL)
|
||||
XDestroyImage(shapeimage);
|
||||
+ if (ErrorStatus < 0) {
|
||||
+ if (pixmap_return && *pixmap_return) {
|
||||
+ XFreePixmap(display, *pixmap_return);
|
||||
+ *pixmap_return = 0;
|
||||
+ }
|
||||
+ if (shapemask_return && *shapemask_return) {
|
||||
+ XFreePixmap(display, *shapemask_return);
|
||||
+ *shapemask_return = 0;
|
||||
+ }
|
||||
}
|
||||
return (ErrorStatus);
|
||||
}
|
||||
diff --git a/src/XpmI.h b/src/XpmI.h
|
||||
index ab7a680..6691693 100644
|
||||
--- a/src/XpmI.h
|
||||
+++ b/src/XpmI.h
|
||||
@@ -195,7 +195,7 @@ FUNC(xpmSetAttributes, void, (XpmAttributes *attributes, XpmImage *image,
|
||||
XpmInfo *info));
|
||||
|
||||
#if !defined(FOR_MSW) && !defined(AMIGA)
|
||||
-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d,
|
||||
+FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d,
|
||||
XImage *ximage, Pixmap *pixmap_return));
|
||||
|
||||
FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap,
|
||||
diff --git a/src/create.c b/src/create.c
|
||||
index 4921c7d..ec562b2 100644
|
||||
--- a/src/create.c
|
||||
+++ b/src/create.c
|
||||
@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage(
|
||||
Pixmap *shapemask_return,
|
||||
XpmAttributes *attributes)
|
||||
{
|
||||
- XImage *ximage, *shapeimage;
|
||||
+ XImage *ximage = NULL, *shapeimage = NULL;
|
||||
int ErrorStatus;
|
||||
|
||||
/* initialize return values */
|
||||
@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage(
|
||||
&shapeimage : NULL),
|
||||
attributes);
|
||||
if (ErrorStatus < 0)
|
||||
- return (ErrorStatus);
|
||||
+ goto cleanup;
|
||||
|
||||
/* create the pixmaps and destroy images */
|
||||
if (pixmap_return && ximage) {
|
||||
- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
- XDestroyImage(ximage);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
|
||||
+ if (ErrorStatus < 0) /* fatal error */
|
||||
+ goto cleanup;
|
||||
}
|
||||
if (shapemask_return && shapeimage) {
|
||||
- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ ErrorStatus =
|
||||
+ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
|
||||
+ }
|
||||
+
|
||||
+ cleanup:
|
||||
+ if (ximage != NULL)
|
||||
+ XDestroyImage(ximage);
|
||||
+ if (shapeimage != NULL)
|
||||
XDestroyImage(shapeimage);
|
||||
+ if (ErrorStatus < 0) {
|
||||
+ if (pixmap_return && *pixmap_return) {
|
||||
+ XFreePixmap(display, *pixmap_return);
|
||||
+ *pixmap_return = 0;
|
||||
+ }
|
||||
+ if (shapemask_return && *shapemask_return) {
|
||||
+ XFreePixmap(display, *shapemask_return);
|
||||
+ *shapemask_return = 0;
|
||||
+ }
|
||||
}
|
||||
return (ErrorStatus);
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001
|
||||
From: Yair Mizrahi <yairm@jfrog.com>
|
||||
Date: Thu, 7 Sep 2023 16:59:07 -0700
|
||||
Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage)
|
||||
|
||||
This doesn't fix the CVE - that has to happen in libX11, this
|
||||
just tries to avoid triggering it from libXpm, and saves time
|
||||
in not pretending we can successfully create an X Image for
|
||||
which the width * depth would overflow the signed int used to
|
||||
store the bytes_per_line value.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/create.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/src/create.c b/src/create.c
|
||||
index ec562b2..b8c80d2 100644
|
||||
--- a/src/create.c
|
||||
+++ b/src/create.c
|
||||
@@ -997,6 +997,11 @@ CreateXImage(
|
||||
*image_return = NULL;
|
||||
return XpmNoMemory;
|
||||
}
|
||||
+ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
|
||||
+ XDestroyImage(*image_return);
|
||||
+ *image_return = NULL;
|
||||
+ return XpmNoMemory;
|
||||
+ }
|
||||
/* now that bytes_per_line must have been set properly alloc data */
|
||||
if((*image_return)->bytes_per_line == 0 || height == 0) {
|
||||
XDestroyImage(*image_return);
|
||||
--
|
||||
2.41.0
|
||||
|
11
libXpm.spec
11
libXpm.spec
@ -1,7 +1,7 @@
|
||||
Summary: X.Org X11 libXpm runtime library
|
||||
Name: libXpm
|
||||
Version: 3.5.13
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: MIT
|
||||
URL: http://www.x.org
|
||||
|
||||
@ -26,10 +26,6 @@ Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
|
||||
Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
|
||||
# CVE-2023-43789
|
||||
Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
|
||||
# CVE-2023-43786
|
||||
Patch0009: 0001-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch
|
||||
# CVE-2023-43787
|
||||
Patch0010: 0001-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch
|
||||
|
||||
%description
|
||||
X.Org X11 libXpm runtime library
|
||||
@ -52,8 +48,6 @@ X.Org X11 libXpm development package
|
||||
%patch0006 -p1
|
||||
%patch0007 -p1
|
||||
%patch0008 -p1
|
||||
%patch0009 -p1
|
||||
%patch0010 -p1
|
||||
|
||||
%build
|
||||
autoreconf -v --install --force
|
||||
@ -87,6 +81,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
#%{_mandir}/man1/*.1x*
|
||||
|
||||
%changelog
|
||||
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.13-10
|
||||
- Drop hardening patches from previous version to keep ABI compatibility
|
||||
|
||||
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.13-9
|
||||
- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
|
||||
in PutSubImage()
|
||||
|
Loading…
Reference in New Issue
Block a user