import CS libXpm-3.5.12-11.el8
This commit is contained in:
parent
22c0994298
commit
ec5d439574
@ -0,0 +1,32 @@
|
|||||||
|
From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||||
|
Date: Sat, 29 Apr 2023 17:50:39 -0700
|
||||||
|
Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
|
||||||
|
XpmCreateXpmImageFromBuffer
|
||||||
|
|
||||||
|
When the test case for CVE-2022-46285 was run with the Address Sanitizer
|
||||||
|
enabled, it found an out-of-bounds read in ParseComment() when reading
|
||||||
|
from a memory buffer instead of a file, as it continued to look for the
|
||||||
|
closing comment marker past the end of the buffer.
|
||||||
|
|
||||||
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||||
|
---
|
||||||
|
src/data.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/data.c b/src/data.c
|
||||||
|
index 7524e65..0b0f1f3 100644
|
||||||
|
--- a/src/data.c
|
||||||
|
+++ b/src/data.c
|
||||||
|
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
|
||||||
|
n++;
|
||||||
|
s2++;
|
||||||
|
} while (c == *s2 && *s2 != '\0' && c);
|
||||||
|
- if (*s2 == '\0') {
|
||||||
|
+ if (*s2 == '\0' || c == '\0') {
|
||||||
|
/* this is the end of the comment */
|
||||||
|
notend = 0;
|
||||||
|
data->cptr--;
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||||
|
Date: Sat, 29 Apr 2023 18:30:34 -0700
|
||||||
|
Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
|
||||||
|
colormap
|
||||||
|
|
||||||
|
Found with clang's libfuzzer
|
||||||
|
|
||||||
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||||
|
---
|
||||||
|
src/data.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/data.c b/src/data.c
|
||||||
|
index 0b0f1f3..6e87455 100644
|
||||||
|
--- a/src/data.c
|
||||||
|
+++ b/src/data.c
|
||||||
|
@@ -259,13 +259,13 @@ xpmNextWord(
|
||||||
|
int c;
|
||||||
|
|
||||||
|
if (!data->type || data->type == XPMBUFFER) {
|
||||||
|
- while (isspace(c = *data->cptr) && c != data->Eos)
|
||||||
|
+ while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
|
||||||
|
data->cptr++;
|
||||||
|
do {
|
||||||
|
c = *data->cptr++;
|
||||||
|
*buf++ = c;
|
||||||
|
n++;
|
||||||
|
- } while (!isspace(c) && c != data->Eos && n < buflen);
|
||||||
|
+ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
|
||||||
|
n--;
|
||||||
|
data->cptr--;
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: X.Org X11 libXpm runtime library
|
Summary: X.Org X11 libXpm runtime library
|
||||||
Name: libXpm
|
Name: libXpm
|
||||||
Version: 3.5.12
|
Version: 3.5.12
|
||||||
Release: 9%{?dist}
|
Release: 11%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
URL: http://www.x.org
|
URL: http://www.x.org
|
||||||
@ -25,6 +25,10 @@ Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch
|
|||||||
Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
|
Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
|
||||||
Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
|
Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
|
||||||
Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
|
Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
|
||||||
|
# CVE-2023-43788
|
||||||
|
Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
|
||||||
|
# CVE-2023-43789
|
||||||
|
Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
X.Org X11 libXpm runtime library
|
X.Org X11 libXpm runtime library
|
||||||
@ -46,6 +50,8 @@ X.Org X11 libXpm development package
|
|||||||
%patch0004 -p1
|
%patch0004 -p1
|
||||||
%patch0005 -p1
|
%patch0005 -p1
|
||||||
%patch0006 -p1
|
%patch0006 -p1
|
||||||
|
%patch0007 -p1
|
||||||
|
%patch0008 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -v --install --force
|
autoreconf -v --install --force
|
||||||
@ -79,10 +85,21 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
|||||||
#%{_mandir}/man1/*.1x*
|
#%{_mandir}/man1/*.1x*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-11
|
||||||
|
- Drop hardening patches from previous version to keep ABI compatibility
|
||||||
|
|
||||||
|
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-10
|
||||||
|
- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
|
||||||
|
in PutSubImage()
|
||||||
|
- CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
|
||||||
|
a heap overflow
|
||||||
|
- CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
|
||||||
|
- CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
|
||||||
|
|
||||||
* Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.12-9
|
* Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.12-9
|
||||||
- Fix CVE-2022-46285: infinite loop on unclosed comments (#2161800)
|
- Fix CVE-2022-46285: infinite loop on unclosed comments (#2160229)
|
||||||
- Fix CVE-2022-44617: runaway loop with width of 0 (#2161808)
|
- Fix CVE-2022-44617: runaway loop with width of 0 (#2160231)
|
||||||
- Fix CVE-2022-4883: compression depends on $PATH (#2160238)
|
- Fix CVE-2022-4883: compression depends on $PATH (#2160239)
|
||||||
|
|
||||||
* Mon Dec 09 2019 Benjamin Tissoires <benjamin.tissoires@redhat.com> 3.5.12-8
|
* Mon Dec 09 2019 Benjamin Tissoires <benjamin.tissoires@redhat.com> 3.5.12-8
|
||||||
- add covscan fixes (#1602606)
|
- add covscan fixes (#1602606)
|
||||||
|
Loading…
Reference in New Issue
Block a user