.gitignore

@@ -1 +1 @@
-/libXpm-*.tar.xz
+SOURCES/libXpm-3.5.12.tar.bz2

.libXpm.metadata

@@ -0,0 +1 @@
+4e22fefe61714209539b08051b5287bcd9ecfd04 SOURCES/libXpm-3.5.12.tar.bz2

SOURCES/0001-After-fdopen-use-fclose-instead-of-close-in-error-pa.patch

@@ -0,0 +1,40 @@
+From e00066fb973a1796dd3989e356e17c8b51add521 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sun, 30 Sep 2018 15:09:29 -0700
+Subject: [PATCH 1/3] After fdopen(), use fclose() instead of close() in error
+ path
+
+Found by Oracle's Parfait 2.2 static analyzer:
+
+Error: File Leak
+   File Leak [file-ptr-leak]:
+      Leaked File fp
+        at line 94 of lib/libXpm/src/RdFToBuf.c in function 'XpmReadFileToBuffer
+'.
+          fp initialized at line 86 with fdopen
+          fp leaks when len < 0 at line 92.
+
+Introduced-by: commit 8b3024e6871ce50b34bf2dff924774bd654703bc
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/RdFToBuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/RdFToBuf.c b/src/RdFToBuf.c
+index 69e3347d24f2..1b386f81fde3 100644
+--- a/src/RdFToBuf.c
++++ b/src/RdFToBuf.c
+@@ -90,7 +90,7 @@ XpmReadFileToBuffer(
+     }
+     len = stats.st_size;
+     if (len < 0 || len >= SIZE_MAX) {
+-	close(fd);
++	fclose(fp);
+ 	return XpmOpenFailed;
+     }
+     ptr = (char *) XpmMalloc(len + 1);
+-- 
+2.23.0
+

SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch

@@ -0,0 +1,37 @@
+From ec75b3393506a6f71a477ac3982b31a48a42c196 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 17 Dec 2022 12:23:45 -0800
+Subject: [PATCH libXpm 1/5] Fix CVE-2022-46285: Infinite loop on unclosed
+ comments
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+comment in the file is not closed (i.e. a C-style comment starts with
+"/*" and is missing the closing "*/"), the ParseComment() function will
+loop forever calling getc() to try to read the rest of the comment,
+failing to notice that it has returned EOF, which may cause a denial of
+service to the calling program.
+
+Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/data.c b/src/data.c
+index 898889c..bfad4ff 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
+ 		notend = 0;
+ 		Ungetc(data, *s, file);
+ 	    }
++	    else if (c == EOF) {
++		/* hit end of file before the end of the comment */
++		return XpmFileInvalid;
++	    }
+ 	}
+ 	return 0;
+     }
+-- 
+2.39.0
+

SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch

@@ -0,0 +1,32 @@
+From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 17:50:39 -0700
+Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
+ XpmCreateXpmImageFromBuffer
+
+When the test case for CVE-2022-46285 was run with the Address Sanitizer
+enabled, it found an out-of-bounds read in ParseComment() when reading
+from a memory buffer instead of a file, as it continued to look for the
+closing comment marker past the end of the buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/data.c b/src/data.c
+index 7524e65..0b0f1f3 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
+ 		n++;
+ 		s2++;
+ 	    } while (c == *s2 && *s2 != '\0' && c);
+-	    if (*s2 == '\0') {
++	    if (*s2 == '\0' || c == '\0') {
+ 		/* this is the end of the comment */
+ 		notend = 0;
+ 		data->cptr--;
+-- 
+2.41.0
+

SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch

@@ -0,0 +1,36 @@
+From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 18:30:34 -0700
+Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
+ colormap
+
+Found with clang's libfuzzer
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/data.c b/src/data.c
+index 0b0f1f3..6e87455 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -259,13 +259,13 @@ xpmNextWord(
+     int c;
+ 
+     if (!data->type || data->type == XPMBUFFER) {
+-	while (isspace(c = *data->cptr) && c != data->Eos)
++	while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
+ 	    data->cptr++;
+ 	do {
+ 	    c = *data->cptr++;
+ 	    *buf++ = c;
+ 	    n++;
+-	} while (!isspace(c) && c != data->Eos && n < buflen);
++	} while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
+ 	n--;
+ 	data->cptr--;
+     } else {
+-- 
+2.41.0
+

SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch

@@ -0,0 +1,151 @@
+From 52603840b1c5d923cc998335fb651a53d42a036c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 7 Jan 2023 12:44:28 -0800
+Subject: [PATCH libXpm 2/5] Fix CVE-2022-44617: Runaway loop with width of 0
+ and enormous height
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+image has a width of 0 and a very large height, the ParsePixels() function
+will loop over the entire height calling getc() and ungetc() repeatedly,
+or in some circumstances, may loop seemingly forever, which may cause a
+denial of service to the calling program when given a small crafted XPM
+file to parse.
+
+Closes: #2
+
+Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c  | 20 ++++++++++++++------
+ src/parse.c | 31 +++++++++++++++++++++++++++----
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/src/data.c b/src/data.c
+index bfad4ff..7524e65 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -195,19 +195,23 @@ xpmNextString(xpmData *data)
+ 	register char c;
+ 
+ 	/* get to the end of the current string */
+-	if (data->Eos)
+-	    while ((c = *data->cptr++) && c != data->Eos);
++	if (data->Eos) {
++	    while ((c = *data->cptr++) && c != data->Eos && c != '\0');
++
++	    if (c == '\0')
++		return XpmFileInvalid;
++	}
+ 
+ 	/*
+ 	 * then get to the beginning of the next string looking for possible
+ 	 * comment
+ 	 */
+ 	if (data->Bos) {
+-	    while ((c = *data->cptr++) && c != data->Bos)
++	    while ((c = *data->cptr++) && c != data->Bos && c != '\0')
+ 		if (data->Bcmt && c == data->Bcmt[0])
+ 		    ParseComment(data);
+ 	} else if (data->Bcmt) {	/* XPM2 natural */
+-	    while ((c = *data->cptr++) == data->Bcmt[0])
++	    while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
+ 		ParseComment(data);
+ 	    data->cptr--;
+ 	}
+@@ -216,9 +220,13 @@ xpmNextString(xpmData *data)
+ 	FILE *file = data->stream.file;
+ 
+ 	/* get to the end of the current string */
+-	if (data->Eos)
++	if (data->Eos) {
+ 	    while ((c = Getc(data, file)) != data->Eos && c != EOF);
+ 
++	    if (c == EOF)
++		return XpmFileInvalid;
++	}
++
+ 	/*
+ 	 * then get to the beginning of the next string looking for possible
+ 	 * comment
+@@ -234,7 +242,7 @@ xpmNextString(xpmData *data)
+ 	    Ungetc(data, c, file);
+ 	}
+     }
+-    return 0;
++    return XpmSuccess;
+ }
+ 
+ 
+diff --git a/src/parse.c b/src/parse.c
+index c19209c..e97d771 100644
+--- a/src/parse.c
++++ b/src/parse.c
+@@ -391,6 +391,13 @@ ParsePixels(
+ {
+     unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
+     unsigned int a, x, y;
++    int ErrorStatus;
++
++    if ((width == 0) && (height != 0))
++	return (XpmFileInvalid);
++
++    if ((height == 0) && (width != 0))
++	return (XpmFileInvalid);
+ 
+     if ((height > 0 && width >= UINT_MAX / height) ||
+ 	width * height >= UINT_MAX / sizeof(unsigned int))
+@@ -428,7 +435,11 @@ ParsePixels(
+ 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
+ 
+ 	    for (y = 0; y < height; y++) {
+-		xpmNextString(data);
++		ErrorStatus = xpmNextString(data);
++		if (ErrorStatus != XpmSuccess) {
++		    XpmFree(iptr2);
++		    return (ErrorStatus);
++		}
+ 		for (x = 0; x < width; x++, iptr++) {
+ 		    int c = xpmGetC(data);
+ 
+@@ -475,7 +486,11 @@ do \
+ 	    }
+ 
+ 	    for (y = 0; y < height; y++) {
+-		xpmNextString(data);
++		ErrorStatus = xpmNextString(data);
++		if (ErrorStatus != XpmSuccess) {
++		    XpmFree(iptr2);
++		    return (ErrorStatus);
++		}
+ 		for (x = 0; x < width; x++, iptr++) {
+ 		    int cc1 = xpmGetC(data);
+ 		    if (cc1 > 0 && cc1 < 256) {
+@@ -515,7 +530,11 @@ do \
+ 		xpmHashAtom *slot;
+ 
+ 		for (y = 0; y < height; y++) {
+-		    xpmNextString(data);
++		    ErrorStatus = xpmNextString(data);
++		    if (ErrorStatus != XpmSuccess) {
++			XpmFree(iptr2);
++			return (ErrorStatus);
++		    }
+ 		    for (x = 0; x < width; x++, iptr++) {
+ 			for (a = 0, s = buf; a < cpp; a++, s++) {
+ 			    int c = xpmGetC(data);
+@@ -535,7 +554,11 @@ do \
+ 		}
+ 	    } else {
+ 		for (y = 0; y < height; y++) {
+-		    xpmNextString(data);
++		    ErrorStatus = xpmNextString(data);
++		    if (ErrorStatus != XpmSuccess) {
++			XpmFree(iptr2);
++			return (ErrorStatus);
++		    }
+ 		    for (x = 0; x < width; x++, iptr++) {
+ 			for (a = 0, s = buf; a < cpp; a++, s++) {
+ 			    int c = xpmGetC(data);
+-- 
+2.39.0
+

SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch

@@ -0,0 +1,39 @@
+From 7cc2c568412ec63cc5efeec8edbdfc300c09835c Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Thu, 12 Jan 2023 15:05:39 +1000
+Subject: [PATCH libXpm 3/5] Prevent a double free in the error code path
+
+xpmParseDataAndCreate() calls XDestroyImage() in the error path.
+Reproducible with sxpm "zero-width.xpm", that file is in the test/
+directory.
+
+The same approach is needed in the bytes_per_line == 0 condition though
+here it just plugs a memory leak.
+---
+ src/create.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/create.c b/src/create.c
+index a750846..0f3735c 100644
+--- a/src/create.c
++++ b/src/create.c
+@@ -994,11 +994,15 @@ CreateXImage(
+ #if !defined(FOR_MSW) && !defined(AMIGA)
+     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+ 	XDestroyImage(*image_return);
++	*image_return = NULL;
+ 	return XpmNoMemory;
+     }
+     /* now that bytes_per_line must have been set properly alloc data */
+-    if((*image_return)->bytes_per_line == 0 ||  height == 0)
++    if((*image_return)->bytes_per_line == 0 ||  height == 0) {
++	XDestroyImage(*image_return);
++	*image_return = NULL;
+     	return XpmNoMemory;
++    }
+     (*image_return)->data =
+ 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
+ 
+-- 
+2.39.0
+

SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch

@@ -0,0 +1,95 @@
+From d51766c94c6dffa59c087b27b2b20b53ff957b98 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 5 Jan 2023 15:42:36 -0800
+Subject: [PATCH libXpm 4/5] configure: add --disable-open-zfile instead of
+ requiring -DNO_ZPIPE
+
+Documents the two compression options in the README, makes their
+configure options reflect the interdependency of their implementation,
+and makes the configure script report their configuration.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ README       | 15 +++++++++++++++
+ configure.ac | 36 +++++++++++++++++++++++-------------
+ 2 files changed, 38 insertions(+), 13 deletions(-)
+
+diff --git a/README b/README
+index 9d14a39..f532bef 100644
+--- a/README
++++ b/README
+@@ -23,3 +23,18 @@ For more information on the git code manager, see:
+ 
+         http://wiki.x.org/wiki/GitPage
+ 
++------------------------------------------------------------------------------
++
++libXpm supports two optional features to handle compressed pixmap files.
++
++--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz
++and open a pipe to the appropriate command to compress the file when writing
++and uncompress the file when reading. This is enabled by default on platforms
++other than MinGW and can be disabled by passing the --disable-open-zfile flag
++to the configure script.
++
++--enable-stat-zfile make libXpm search for a file name with .Z or .gz added
++if it can't find the file it was asked to open.  It relies on the
++--enable-open-zfile feature to open the file, and is enabled by default
++when --enable-open-zfile is enabled, and can be disabled by passing the
++--disable-stat-zfile flag to the configure script.
+diff --git a/configure.ac b/configure.ac
+index 2feb9ff..4a8d6de 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -48,25 +48,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then
+ fi
+ AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+ 
++# Optional feature: When a filename ending in .Z or .gz is requested,
++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
++# handle it.
++AC_MSG_CHECKING([whether to handle compressed pixmaps])
++case $host_os in
++        *mingw*)        zpipe_default="no" ;;
++        *)              zpipe_default="yes" ;;
++esac
++AC_ARG_ENABLE(open-zfile,
++        AS_HELP_STRING([--enable-open-zfile],
++                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
++              [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes])
++AC_MSG_RESULT([$OPEN_ZFILE])
++if test x$OPEN_ZFILE = xno ; then
++        AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
++fi
++
+ # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
+ # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
++AC_MSG_CHECKING([whether to search for compressed pixmaps])
+ AC_ARG_ENABLE(stat-zfile,
+-	AS_HELP_STRING([--enable-stat-zfile],
+-			[Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]),
+-              [STAT_ZFILE=$enableval], [STAT_ZFILE=yes])
++        AS_HELP_STRING([--enable-stat-zfile],
++                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
++              [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE])
++AC_MSG_RESULT([$STAT_ZFILE])
+ if test x$STAT_ZFILE = xyes ; then
+-	AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
++        AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
+ fi
+ 
+-
+-case $host_os in
+-	*mingw*)
+-                AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
+-	;;
+-	*)
+-	;;
+-esac
+-
+ AC_CONFIG_FILES([Makefile
+                  doc/Makefile
+                  include/Makefile
+-- 
+2.39.0
+

SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch

@@ -0,0 +1,144 @@
+From 66854ee1d187095186ae718979baf771c177002a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Jan 2023 12:50:48 -0800
+Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on
+ $PATH
+
+By default, on all platforms except MinGW, libXpm will detect if a
+filename ends in .Z or .gz, and will when reading such a file fork off
+an uncompress or gunzip command to read from via a pipe, and when
+writing such a file will fork off a compress or gzip command to write
+to via a pipe.
+
+In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
+to find the commands.  If libXpm is called from a program running with
+raised privileges, such as via setuid, then a malicious user could set
+$PATH to include programs of their choosing to be run with those
+privileges.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ README       | 12 ++++++++++++
+ configure.ac | 14 ++++++++++++++
+ src/RdFToI.c | 17 ++++++++++++++---
+ src/WrFFrI.c |  4 ++--
+ 4 files changed, 42 insertions(+), 5 deletions(-)
+
+diff --git a/README b/README
+index f532bef..c7d6dbf 100644
+--- a/README
++++ b/README
+@@ -38,3 +38,15 @@ if it can't find the file it was asked to open.  It relies on the
+ --enable-open-zfile feature to open the file, and is enabled by default
+ when --enable-open-zfile is enabled, and can be disabled by passing the
+ --disable-stat-zfile flag to the configure script.
++
++All of these commands will be executed with whatever userid & privileges the
++function is called with, relying on the caller to ensure the correct euid,
++egid, etc. are set before calling.
++
++To reduce risk, the paths to these commands are now set at configure time to
++the first version found in the PATH used to run configure, and do not depend
++on the PATH environment variable set at runtime.
++
++To specify paths to be used for these commands instead of searching $PATH, pass
++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
++variables to the configure command.
+diff --git a/configure.ac b/configure.ac
+index 4a8d6de..c1da348 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
+ fi
+ AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+ 
++dnl Helper macro to find absolute path to program and add a #define for it
++AC_DEFUN([XPM_PATH_PROG],[
++AC_PATH_PROG([$1], [$2], [])
++AS_IF([test "x$$1" = "x"],
++      [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])])
++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
++]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
++
+ # Optional feature: When a filename ending in .Z or .gz is requested,
+ # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
+ # handle it.
+@@ -63,6 +71,12 @@ AC_ARG_ENABLE(open-zfile,
+ AC_MSG_RESULT([$OPEN_ZFILE])
+ if test x$OPEN_ZFILE = xno ; then
+         AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
++else
++        XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
++        XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
++        XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
++        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
++        AC_CHECK_FUNCS([closefrom close_range], [break])
+ fi
+ 
+ # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
+diff --git a/src/RdFToI.c b/src/RdFToI.c
+index bd09611..a91d337 100644
+--- a/src/RdFToI.c
++++ b/src/RdFToI.c
+@@ -43,6 +43,7 @@
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <unistd.h>
+ #else
+ #ifdef FOR_MSW
+ #include <fcntl.h>
+@@ -161,7 +162,17 @@ xpmPipeThrough(
+ 	    goto err;
+ 	if ( 0 == pid )
+ 	{
+-	    execlp(cmd, cmd, arg1, (char *)NULL);
++#ifdef HAVE_CLOSEFROM
++	    closefrom(3);
++#elif defined(HAVE_CLOSE_RANGE)
++# ifdef CLOSE_RANGE_UNSHARE
++#  define close_range_flags CLOSE_RANGE_UNSHARE
++# else
++#  define close_range_flags 0
++#endif
++	    close_range(3, ~0U, close_range_flags);
++#endif
++	    execl(cmd, cmd, arg1, (char *)NULL);
+ 	    perror(cmd);
+ 	    goto err;
+ 	}
+@@ -235,12 +246,12 @@ OpenReadFile(
+ 	if ( ext && !strcmp(ext, ".Z") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
+ 	}
+ 	else if ( ext && !strcmp(ext, ".gz") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
+ 	}
+ 	else
+ #endif /* z-files */
+diff --git a/src/WrFFrI.c b/src/WrFFrI.c
+index 067c96b..bc38f66 100644
+--- a/src/WrFFrI.c
++++ b/src/WrFFrI.c
+@@ -336,10 +336,10 @@ OpenWriteFile(
+ #ifndef NO_ZPIPE
+ 	len = strlen(filename);
+ 	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
+-	    mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w");
+ 	    mdata->type = XPMPIPE;
+ 	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
+-	    mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
+ 	    mdata->type = XPMPIPE;
+ 	} else
+ #endif
+-- 
+2.39.0
+

SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch

@@ -0,0 +1,67 @@
+From 8b52b950360cd7224f504f294997f3a9d7e18b91 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 16 Jan 2023 19:44:52 +1000
+Subject: [PATCH libXpm] Use gzip -d instead of gunzip
+
+GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
+/usr/bin/gunzip with the correct built-in path, the actual gzip call
+will use whichever gzip it finds first, making our patch pointless.
+
+Fix this by explicitly calling gzip -d instead.
+
+https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ README       | 2 +-
+ configure.ac | 3 +--
+ src/RdFToI.c | 2 +-
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/README b/README
+index c7d6dbf..d4c7212 100644
+--- a/README
++++ b/README
+@@ -48,5 +48,5 @@ the first version found in the PATH used to run configure, and do not depend
+ on the PATH environment variable set at runtime.
+ 
+ To specify paths to be used for these commands instead of searching $PATH, pass
+-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP
+ variables to the configure command.
+diff --git a/configure.ac b/configure.ac
+index c1da348..74d9856 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -57,7 +57,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
+ ]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
+ 
+ # Optional feature: When a filename ending in .Z or .gz is requested,
+-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
++# open a pipe to a newly forked compress/uncompress/gzip command to
+ # handle it.
+ AC_MSG_CHECKING([whether to handle compressed pixmaps])
+ case $host_os in
+@@ -75,7 +75,6 @@ else
+         XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
+         XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
+         XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
+-        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
+         AC_CHECK_FUNCS([closefrom close_range], [break])
+ fi
+ 
+diff --git a/src/RdFToI.c b/src/RdFToI.c
+index a91d337..141c485 100644
+--- a/src/RdFToI.c
++++ b/src/RdFToI.c
+@@ -251,7 +251,7 @@ OpenReadFile(
+ 	else if ( ext && !strcmp(ext, ".gz") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r");
+ 	}
+ 	else
+ #endif /* z-files */
+-- 
+2.39.0
+

SPECS/libXpm.spec

@@ -1,23 +1,41 @@
 Summary: X.Org X11 libXpm runtime library
 Name: libXpm
-Version: 3.5.17
+Version: 3.5.12
-Release: 5%{?dist}
+Release: 11%{?dist}
-License: MIT AND X11-distribute-modifications-variant
+License: MIT
+Group: System Environment/Libraries
 URL: http://www.x.org
 
-Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.xz
+Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2
 
 BuildRequires: xorg-x11-util-macros
-BuildRequires: autoconf automake libtool make
+BuildRequires: autoconf automake libtool
 BuildRequires: gettext
 BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau)
 BuildRequires: ncompress gzip
 
+Patch0: 0001-After-fdopen-use-fclose-instead-of-close-in-error-pa.patch
+
+# CVE-2022-46285
+Patch0001: 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
+# CVE-2022-44617
+Patch0002: 0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
+Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch
+# CVE-2022-4883
+Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
+Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
+# CVE-2023-43788
+Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
+# CVE-2023-43789
+Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
+
 %description
 X.Org X11 libXpm runtime library
 
 %package devel
 Summary: X.Org X11 libXpm development package
+Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 
 %description devel
@@ -25,6 +43,15 @@ X.Org X11 libXpm development package
 
 %prep
 %setup -q
+%patch0 -p1 -b .covscan
+%patch0001 -p1
+%patch0002 -p1
+%patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
+%patch0006 -p1
+%patch0007 -p1
+%patch0008 -p1
 
 %build
 autoreconf -v --install --force
@@ -53,76 +80,29 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_includedir}/X11/xpm.h
 %{_libdir}/libXpm.so
 %{_libdir}/pkgconfig/xpm.pc
+#%dir %{_mandir}/man1x
 %{_mandir}/man1/*.1*
-%{_mandir}/man3/*.3*
+#%{_mandir}/man1/*.1x*
 
 %changelog
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.5.17-5
+* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-11
-- Bump release for October 2024 mass rebuild:
+- Drop hardening patches from previous version to keep ABI compatibility
-  Resolves: RHEL-64018
 
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.5.17-4
+* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-10
-- Bump release for June 2024 mass rebuild
+- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
+  in PutSubImage()
+- CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
+  a heap overflow
+- CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
+- CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
 
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.17-3
+* Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.12-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Fix CVE-2022-46285: infinite loop on unclosed comments (#2160229)
+- Fix CVE-2022-44617: runaway loop with width of 0 (#2160231)
+- Fix CVE-2022-4883: compression depends on $PATH (#2160239)
 
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.17-2
+* Mon Dec 09 2019 Benjamin Tissoires <benjamin.tissoires@redhat.com> 3.5.12-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- add covscan fixes (#1602606)
-
-* Thu Oct 05 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.17-1
-- libXpm 3.5.17
-
-* Wed Sep 06 2023 Benjamin Tissoires <benjamin.tissoires@redhat.com> - 3.5.15-5
-- SPDX migration
-
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.15-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.15-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Wed Jan 18 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.15-2
-- Add missing BuildRequires
-
-* Wed Jan 18 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.15-1
-- libXpm 3.5.15, fixes CVE-2022-46285, CVE-2022-44617, CVE-2022-4883
-
-* Wed Jan 11 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.14-1
-- libXpm 3.5.14
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Jan 05 2021 Peter Hutterer <peter.hutterer@redhat.com> 3.5.13-4
-- Add make to BuildRequires
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Dec 13 2019 Peter Hutterer <peter.hutterer@redhat.com> 3.5.13-1
-- libXpm 3.5.13
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Thu Jul 05 2018 Adam Jackson <ajax@redhat.com> - 3.5.12-7
 - Drop useless %%defattr

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}

sources

@@ -1 +0,0 @@
-SHA512 (libXpm-3.5.17.tar.xz) = 52f9d2664a47a26c1a6ad65d18867de870b66947b0b0d99cca3512756a0aaa6ce2a245c0b49f20b70c3ce48bf04c47c333e8119a147465c277bca727f6ab017e