import libXpm-3.5.13-8.el9_1

2023-03-28 10:50:23 +00:00 · 2023-03-28 10:50:23 +00:00 · d3f58669be
commit d3f58669be
parent c14112c52e
7 changed files with 558 additions and 1 deletions
--- a/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
+++ b/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
@ -0,0 +1,37 @@
 From c6cd85b7d0a725552a7277748504a33f0fc3e121 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 17 Dec 2022 12:23:45 -0800
 Subject: [PATCH libXpm 1/6] Fix CVE-2022-46285: Infinite loop on unclosed
 comments
 When reading XPM images from a file with libXpm 3.5.14 or older, if a
 comment in the file is not closed (i.e. a C-style comment starts with
 "/*" and is missing the closing "*/"), the ParseComment() function will
 loop forever calling getc() to try to read the rest of the comment,
 failing to notice that it has returned EOF, which may cause a denial of
 service to the calling program.
 Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/data.c b/src/data.c
 index 898889c..bfad4ff 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
 		notend = 0;
 		Ungetc(data, *s, file);
 	    }
 +	    else if (c == EOF) {
 +		/* hit end of file before the end of the comment */
 +		return XpmFileInvalid;
 +	    }
 	}
 	return 0;
     }
 -- 
 2.39.0
--- a/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
+++ b/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
@ -0,0 +1,151 @@
 From 0a1959b3b061d2e6d0a512e83035d84e5828f388 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 7 Jan 2023 12:44:28 -0800
 Subject: [PATCH libXpm 2/6] Fix CVE-2022-44617: Runaway loop with width of 0
 and enormous height
 When reading XPM images from a file with libXpm 3.5.14 or older, if a
 image has a width of 0 and a very large height, the ParsePixels() function
 will loop over the entire height calling getc() and ungetc() repeatedly,
 or in some circumstances, may loop seemingly forever, which may cause a
 denial of service to the calling program when given a small crafted XPM
 file to parse.
 Closes: #2
 Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c  | 20 ++++++++++++++------
 src/parse.c | 31 +++++++++++++++++++++++++++----
 2 files changed, 41 insertions(+), 10 deletions(-)
 diff --git a/src/data.c b/src/data.c
 index bfad4ff..7524e65 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -195,19 +195,23 @@ xpmNextString(xpmData *data)
 	register char c;
 	/* get to the end of the current string */
 -	if (data->Eos)
 -	    while ((c = *data->cptr++) && c != data->Eos);
 +	if (data->Eos) {
 +	    while ((c = *data->cptr++) && c != data->Eos && c != '\0');
 +
 +	    if (c == '\0')
 +		return XpmFileInvalid;
 +	}
 	/*
 	 * then get to the beginning of the next string looking for possible
 	 * comment
 	 */
 	if (data->Bos) {
 -	    while ((c = *data->cptr++) && c != data->Bos)
 +	    while ((c = *data->cptr++) && c != data->Bos && c != '\0')
 		if (data->Bcmt && c == data->Bcmt[0])
 		    ParseComment(data);
 	} else if (data->Bcmt) {	/* XPM2 natural */
 -	    while ((c = *data->cptr++) == data->Bcmt[0])
 +	    while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
 		ParseComment(data);
 	    data->cptr--;
 	}
@@ -216,9 +220,13 @@ xpmNextString(xpmData *data)
 	FILE *file = data->stream.file;
 	/* get to the end of the current string */
 -	if (data->Eos)
 +	if (data->Eos) {
 	    while ((c = Getc(data, file)) != data->Eos && c != EOF);
 +	    if (c == EOF)
 +		return XpmFileInvalid;
 +	}
 +
 	/*
 	 * then get to the beginning of the next string looking for possible
 	 * comment
@@ -234,7 +242,7 @@ xpmNextString(xpmData *data)
 	    Ungetc(data, c, file);
 	}
     }
 -    return 0;
 +    return XpmSuccess;
 }
 diff --git a/src/parse.c b/src/parse.c
 index 613529e..606789d 100644
 --- a/src/parse.c
 +++ b/src/parse.c
@@ -427,6 +427,13 @@ ParsePixels(
 {
     unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
     unsigned int a, x, y;
 +    int ErrorStatus;
 +
 +    if ((width == 0) && (height != 0))
 +	return (XpmFileInvalid);
 +
 +    if ((height == 0) && (width != 0))
 +	return (XpmFileInvalid);
     if ((height > 0 && width >= UINT_MAX / height) ||
 	width * height >= UINT_MAX / sizeof(unsigned int))
@@ -464,7 +471,11 @@ ParsePixels(
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
 	    for (y = 0; y < height; y++) {
 -		xpmNextString(data);
 +		ErrorStatus = xpmNextString(data);
 +		if (ErrorStatus != XpmSuccess) {
 +		    XpmFree(iptr2);
 +		    return (ErrorStatus);
 +		}
 		for (x = 0; x < width; x++, iptr++) {
 		    int c = xpmGetC(data);
@@ -511,7 +522,11 @@ do \
 	    }
 	    for (y = 0; y < height; y++) {
 -		xpmNextString(data);
 +		ErrorStatus = xpmNextString(data);
 +		if (ErrorStatus != XpmSuccess) {
 +		    XpmFree(iptr2);
 +		    return (ErrorStatus);
 +		}
 		for (x = 0; x < width; x++, iptr++) {
 		    int cc1 = xpmGetC(data);
 		    if (cc1 > 0 && cc1 < 256) {
@@ -551,7 +566,11 @@ do \
 		xpmHashAtom *slot;
 		for (y = 0; y < height; y++) {
 -		    xpmNextString(data);
 +		    ErrorStatus = xpmNextString(data);
 +		    if (ErrorStatus != XpmSuccess) {
 +			XpmFree(iptr2);
 +			return (ErrorStatus);
 +		    }
 		    for (x = 0; x < width; x++, iptr++) {
 			for (a = 0, s = buf; a < cpp; a++, s++) {
 			    int c = xpmGetC(data);
@@ -571,7 +590,11 @@ do \
 		}
 	    } else {
 		for (y = 0; y < height; y++) {
 -		    xpmNextString(data);
 +		    ErrorStatus = xpmNextString(data);
 +		    if (ErrorStatus != XpmSuccess) {
 +			XpmFree(iptr2);
 +			return (ErrorStatus);
 +		    }
 		    for (x = 0; x < width; x++, iptr++) {
 			for (a = 0, s = buf; a < cpp; a++, s++) {
 			    int c = xpmGetC(data);
 -- 
 2.39.0
--- a/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch
+++ b/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch
@ -0,0 +1,39 @@
 From ad5a88046266478c2c9600f6d8a11ab707cb4c7e Mon Sep 17 00:00:00 2001
 From: Matthieu Herrb <matthieu@herrb.eu>
 Date: Thu, 12 Jan 2023 15:05:39 +1000
 Subject: [PATCH libXpm 3/6] Prevent a double free in the error code path
 xpmParseDataAndCreate() calls XDestroyImage() in the error path.
 Reproducible with sxpm "zero-width.xpm", that file is in the test/
 directory.
 The same approach is needed in the bytes_per_line == 0 condition though
 here it just plugs a memory leak.
 ---
 src/create.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/create.c b/src/create.c
 index a750846..0f3735c 100644
 --- a/src/create.c
 +++ b/src/create.c
@@ -994,11 +994,15 @@ CreateXImage(
 #if !defined(FOR_MSW) && !defined(AMIGA)
     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
 	XDestroyImage(*image_return);
 +	*image_return = NULL;
 	return XpmNoMemory;
     }
     /* now that bytes_per_line must have been set properly alloc data */
 -    if((*image_return)->bytes_per_line == 0 ||  height == 0)
 +    if((*image_return)->bytes_per_line == 0 ||  height == 0) {
 +	XDestroyImage(*image_return);
 +	*image_return = NULL;
     	return XpmNoMemory;
 +    }
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
 -- 
 2.39.0
--- a/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch
+++ b/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch
@ -0,0 +1,95 @@
 From 6fd1ea0d559a433aecccb21b63e91776e05a0831 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 5 Jan 2023 15:42:36 -0800
 Subject: [PATCH libXpm 4/6] configure: add --disable-open-zfile instead of
 requiring -DNO_ZPIPE
 Documents the two compression options in the README, makes their
 configure options reflect the interdependency of their implementation,
 and makes the configure script report their configuration.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 README.md    | 15 +++++++++++++++
 configure.ac | 36 +++++++++++++++++++++++-------------
 2 files changed, 38 insertions(+), 13 deletions(-)
 diff --git a/README.md b/README.md
 index f661e15..f3f4c93 100644
 --- a/README.md
 +++ b/README.md
@@ -16,3 +16,18 @@ For patch submission instructions, see:
   https://www.x.org/wiki/Development/Documentation/SubmittingPatches
 +------------------------------------------------------------------------------
 +
 +libXpm supports two optional features to handle compressed pixmap files.
 +
 +--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz
 +and open a pipe to the appropriate command to compress the file when writing
 +and uncompress the file when reading. This is enabled by default on platforms
 +other than MinGW and can be disabled by passing the --disable-open-zfile flag
 +to the configure script.
 +
 +--enable-stat-zfile make libXpm search for a file name with .Z or .gz added
 +if it can't find the file it was asked to open.  It relies on the
 +--enable-open-zfile feature to open the file, and is enabled by default
 +when --enable-open-zfile is enabled, and can be disabled by passing the
 +--disable-stat-zfile flag to the configure script.
 diff --git a/configure.ac b/configure.ac
 index 365544b..85e2c73 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then
 fi
 AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
 +# Optional feature: When a filename ending in .Z or .gz is requested,
 +# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
 +# handle it.
 +AC_MSG_CHECKING([whether to handle compressed pixmaps])
 +case $host_os in
 +        *mingw*)        zpipe_default="no" ;;
 +        *)              zpipe_default="yes" ;;
 +esac
 +AC_ARG_ENABLE(open-zfile,
 +        AS_HELP_STRING([--enable-open-zfile],
 +                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
 +              [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes])
 +AC_MSG_RESULT([$OPEN_ZFILE])
 +if test x$OPEN_ZFILE = xno ; then
 +        AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
 +fi
 +
 # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
 # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
 +AC_MSG_CHECKING([whether to search for compressed pixmaps])
 AC_ARG_ENABLE(stat-zfile,
 -	AS_HELP_STRING([--enable-stat-zfile],
 -			[Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]),
 -              [STAT_ZFILE=$enableval], [STAT_ZFILE=yes])
 +        AS_HELP_STRING([--enable-stat-zfile],
 +                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
 +              [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE])
 +AC_MSG_RESULT([$STAT_ZFILE])
 if test x$STAT_ZFILE = xyes ; then
 -	AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
 +        AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
 fi
 -
 -case $host_os in
 -	*mingw*)
 -                AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
 -	;;
 -	*)
 -	;;
 -esac
 -
 AC_CONFIG_FILES([Makefile
                  doc/Makefile
                  include/Makefile
 -- 
 2.39.0
--- a/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+++ b/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
@ -0,0 +1,144 @@
 From cdbc3fa8edc5b42391a5f2bfe1a8f6099929acf7 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Fri, 6 Jan 2023 12:50:48 -0800
 Subject: [PATCH libXpm 5/6] Fix CVE-2022-4883: compression commands depend on
 $PATH
 By default, on all platforms except MinGW, libXpm will detect if a
 filename ends in .Z or .gz, and will when reading such a file fork off
 an uncompress or gunzip command to read from via a pipe, and when
 writing such a file will fork off a compress or gzip command to write
 to via a pipe.
 In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
 to find the commands.  If libXpm is called from a program running with
 raised privileges, such as via setuid, then a malicious user could set
 $PATH to include programs of their choosing to be run with those
 privileges.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 README.md    | 12 ++++++++++++
 configure.ac | 14 ++++++++++++++
 src/RdFToI.c | 17 ++++++++++++++---
 src/WrFFrI.c |  4 ++--
 4 files changed, 42 insertions(+), 5 deletions(-)
 diff --git a/README.md b/README.md
 index f3f4c93..0b1c886 100644
 --- a/README.md
 +++ b/README.md
@@ -31,3 +31,15 @@ if it can't find the file it was asked to open.  It relies on the
 --enable-open-zfile feature to open the file, and is enabled by default
 when --enable-open-zfile is enabled, and can be disabled by passing the
 --disable-stat-zfile flag to the configure script.
 +
 +All of these commands will be executed with whatever userid & privileges the
 +function is called with, relying on the caller to ensure the correct euid,
 +egid, etc. are set before calling.
 +
 +To reduce risk, the paths to these commands are now set at configure time to
 +the first version found in the PATH used to run configure, and do not depend
 +on the PATH environment variable set at runtime.
 +
 +To specify paths to be used for these commands instead of searching $PATH, pass
 +the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
 +variables to the configure command.
 diff --git a/configure.ac b/configure.ac
 index 85e2c73..4fc370d 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
 fi
 AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
 +dnl Helper macro to find absolute path to program and add a #define for it
 +AC_DEFUN([XPM_PATH_PROG],[
 +AC_PATH_PROG([$1], [$2], [])
 +AS_IF([test "x$$1" = "x"],
 +      [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])])
 +AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
 +]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
 +
 # Optional feature: When a filename ending in .Z or .gz is requested,
 # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
 # handle it.
@@ -64,6 +72,12 @@ AC_ARG_ENABLE(open-zfile,
 AC_MSG_RESULT([$OPEN_ZFILE])
 if test x$OPEN_ZFILE = xno ; then
         AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
 +else
 +        XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
 +        XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
 +        XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
 +        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
 +        AC_CHECK_FUNCS([closefrom close_range], [break])
 fi
 # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
 diff --git a/src/RdFToI.c b/src/RdFToI.c
 index bd09611..a91d337 100644
 --- a/src/RdFToI.c
 +++ b/src/RdFToI.c
@@ -43,6 +43,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 +#include <unistd.h>
 #else
 #ifdef FOR_MSW
 #include <fcntl.h>
@@ -161,7 +162,17 @@ xpmPipeThrough(
 	    goto err;
 	if ( 0 == pid )
 	{
 -	    execlp(cmd, cmd, arg1, (char *)NULL);
 +#ifdef HAVE_CLOSEFROM
 +	    closefrom(3);
 +#elif defined(HAVE_CLOSE_RANGE)
 +# ifdef CLOSE_RANGE_UNSHARE
 +#  define close_range_flags CLOSE_RANGE_UNSHARE
 +# else
 +#  define close_range_flags 0
 +#endif
 +	    close_range(3, ~0U, close_range_flags);
 +#endif
 +	    execl(cmd, cmd, arg1, (char *)NULL);
 	    perror(cmd);
 	    goto err;
 	}
@@ -235,12 +246,12 @@ OpenReadFile(
 	if ( ext && !strcmp(ext, ".Z") )
 	{
 	    mdata->type = XPMPIPE;
 -	    mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
 	}
 	else if ( ext && !strcmp(ext, ".gz") )
 	{
 	    mdata->type = XPMPIPE;
 -	    mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
 	}
 	else
 #endif /* z-files */
 diff --git a/src/WrFFrI.c b/src/WrFFrI.c
 index 328c987..d59098f 100644
 --- a/src/WrFFrI.c
 +++ b/src/WrFFrI.c
@@ -342,10 +342,10 @@ OpenWriteFile(
 #ifndef NO_ZPIPE
 	len = strlen(filename);
 	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
 -	    mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w");
 	    mdata->type = XPMPIPE;
 	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
 -	    mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
 	    mdata->type = XPMPIPE;
 	} else
 #endif
 -- 
 2.39.0
--- a/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch
+++ b/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch
@ -0,0 +1,68 @@
 From 999005133c928c841e98600c00e12d4c05846c91 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Mon, 16 Jan 2023 19:44:52 +1000
 Subject: [PATCH libXpm 6/6] Use gzip -d instead of gunzip
 GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
 /usr/bin/gunzip with the correct built-in path, the actual gzip call
 will use whichever gzip it finds first, making our patch pointless.
 Fix this by explicitly calling gzip -d instead.
 [1] https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 README.md    | 2 +-
 configure.ac | 3 +--
 src/RdFToI.c | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)
 diff --git a/README.md b/README.md
 index 0b1c886..d906954 100644
 --- a/README.md
 +++ b/README.md
@@ -41,5 +41,5 @@ the first version found in the PATH used to run configure, and do not depend
 on the PATH environment variable set at runtime.
 To specify paths to be used for these commands instead of searching $PATH, pass
 -the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
 +the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP
 variables to the configure command.
 diff --git a/configure.ac b/configure.ac
 index 4fc370d..5535998 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
 ]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
 # Optional feature: When a filename ending in .Z or .gz is requested,
 -# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
 +# open a pipe to a newly forked compress/uncompress/gzip command to
 # handle it.
 AC_MSG_CHECKING([whether to handle compressed pixmaps])
 case $host_os in
@@ -76,7 +76,6 @@ else
         XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
         XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
         XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
 -        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
         AC_CHECK_FUNCS([closefrom close_range], [break])
 fi
 diff --git a/src/RdFToI.c b/src/RdFToI.c
 index a91d337..141c485 100644
 --- a/src/RdFToI.c
 +++ b/src/RdFToI.c
@@ -251,7 +251,7 @@ OpenReadFile(
 	else if ( ext && !strcmp(ext, ".gz") )
 	{
 	    mdata->type = XPMPIPE;
 -	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r");
 	}
 	else
 #endif /* z-files */
 -- 
 2.39.0
--- a/SPECS/libXpm.spec
+++ b/SPECS/libXpm.spec
@ -1,7 +1,7 @@
 Summary: X.Org X11 libXpm runtime library
 Name: libXpm
 Version: 3.5.13
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 URL: http://www.x.org
@ -11,6 +11,17 @@ BuildRequires: xorg-x11-util-macros
 BuildRequires: autoconf automake libtool make
 BuildRequires: gettext
 BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau)
 BuildRequires: ncompress gzip
 # CVE-2022-46285
 Patch0001: 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
 # CVE-2022-44617
 Patch0002: 0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
 Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch
 # CVE-2022-4883
 Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
 Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
 Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
 %description
 X.Org X11 libXpm runtime library
@ -25,6 +36,13 @@ X.Org X11 libXpm development package
 %prep
 %setup -q
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
 %build
 autoreconf -v --install --force
 %configure --disable-static
@ -57,6 +75,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 #%{_mandir}/man1/*.1x*
 %changelog
 * Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.13-8
 - Fix CVE-2022-46285: infinite loop on unclosed comments (#2160230)
 - Fix CVE-2022-44617: runaway loop with width of 0 (#2160232)
 - Fix CVE-2022-4883: compression depends on $PATH (#2160242)
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.5.13-7
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688