14 changed files with 77 additions and 692 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libXpm-3.5.12.tar.bz2
+/libXpm-*.tar.xz
--- a/.libXpm.metadata
+++ b/.libXpm.metadata
@ -1 +0,0 @@
 4e22fefe61714209539b08051b5287bcd9ecfd04 SOURCES/libXpm-3.5.12.tar.bz2
--- a/SOURCES/0001-After-fdopen-use-fclose-instead-of-close-in-error-pa.patch
+++ b/SOURCES/0001-After-fdopen-use-fclose-instead-of-close-in-error-pa.patch
@ -1,40 +0,0 @@
 From e00066fb973a1796dd3989e356e17c8b51add521 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sun, 30 Sep 2018 15:09:29 -0700
 Subject: [PATCH 1/3] After fdopen(), use fclose() instead of close() in error
 path
 Found by Oracle's Parfait 2.2 static analyzer:
 Error: File Leak
   File Leak [file-ptr-leak]:
      Leaked File fp
        at line 94 of lib/libXpm/src/RdFToBuf.c in function 'XpmReadFileToBuffer
 '.
          fp initialized at line 86 with fdopen
          fp leaks when len < 0 at line 92.
 Introduced-by: commit 8b3024e6871ce50b34bf2dff924774bd654703bc
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 src/RdFToBuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/RdFToBuf.c b/src/RdFToBuf.c
 index 69e3347d24f2..1b386f81fde3 100644
 --- a/src/RdFToBuf.c
 +++ b/src/RdFToBuf.c
@@ -90,7 +90,7 @@ XpmReadFileToBuffer(
     }
     len = stats.st_size;
     if (len < 0 || len >= SIZE_MAX) {
 -	close(fd);
 +	fclose(fp);
 	return XpmOpenFailed;
     }
     ptr = (char *) XpmMalloc(len + 1);
 -- 
 2.23.0
--- a/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
+++ b/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
@ -1,37 +0,0 @@
 From ec75b3393506a6f71a477ac3982b31a48a42c196 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 17 Dec 2022 12:23:45 -0800
 Subject: [PATCH libXpm 1/5] Fix CVE-2022-46285: Infinite loop on unclosed
 comments
 When reading XPM images from a file with libXpm 3.5.14 or older, if a
 comment in the file is not closed (i.e. a C-style comment starts with
 "/*" and is missing the closing "*/"), the ParseComment() function will
 loop forever calling getc() to try to read the rest of the comment,
 failing to notice that it has returned EOF, which may cause a denial of
 service to the calling program.
 Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/src/data.c b/src/data.c
 index 898889c..bfad4ff 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
 		notend = 0;
 		Ungetc(data, *s, file);
 	    }
 +	    else if (c == EOF) {
 +		/* hit end of file before the end of the comment */
 +		return XpmFileInvalid;
 +	    }
 	}
 	return 0;
     }
 -- 
 2.39.0
--- a/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
+++ b/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
@ -1,32 +0,0 @@
 From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 29 Apr 2023 17:50:39 -0700
 Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
 XpmCreateXpmImageFromBuffer
 When the test case for CVE-2022-46285 was run with the Address Sanitizer
 enabled, it found an out-of-bounds read in ParseComment() when reading
 from a memory buffer instead of a file, as it continued to look for the
 closing comment marker past the end of the buffer.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/data.c b/src/data.c
 index 7524e65..0b0f1f3 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
 		n++;
 		s2++;
 	    } while (c == *s2 && *s2 != '\0' && c);
 -	    if (*s2 == '\0') {
 +	    if (*s2 == '\0' || c == '\0') {
 		/* this is the end of the comment */
 		notend = 0;
 		data->cptr--;
 -- 
 2.41.0
--- a/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
+++ b/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
@ -1,36 +0,0 @@
 From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 29 Apr 2023 18:30:34 -0700
 Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
 colormap
 Found with clang's libfuzzer
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/data.c b/src/data.c
 index 0b0f1f3..6e87455 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -259,13 +259,13 @@ xpmNextWord(
     int c;
     if (!data->type || data->type == XPMBUFFER) {
 -	while (isspace(c = *data->cptr) && c != data->Eos)
 +	while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
 	    data->cptr++;
 	do {
 	    c = *data->cptr++;
 	    *buf++ = c;
 	    n++;
 -	} while (!isspace(c) && c != data->Eos && n < buflen);
 +	} while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
 	n--;
 	data->cptr--;
     } else {
 -- 
 2.41.0
--- a/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
+++ b/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
@ -1,151 +0,0 @@
 From 52603840b1c5d923cc998335fb651a53d42a036c Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Sat, 7 Jan 2023 12:44:28 -0800
 Subject: [PATCH libXpm 2/5] Fix CVE-2022-44617: Runaway loop with width of 0
 and enormous height
 When reading XPM images from a file with libXpm 3.5.14 or older, if a
 image has a width of 0 and a very large height, the ParsePixels() function
 will loop over the entire height calling getc() and ungetc() repeatedly,
 or in some circumstances, may loop seemingly forever, which may cause a
 denial of service to the calling program when given a small crafted XPM
 file to parse.
 Closes: #2
 Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 src/data.c  | 20 ++++++++++++++------
 src/parse.c | 31 +++++++++++++++++++++++++++----
 2 files changed, 41 insertions(+), 10 deletions(-)
 diff --git a/src/data.c b/src/data.c
 index bfad4ff..7524e65 100644
 --- a/src/data.c
 +++ b/src/data.c
@@ -195,19 +195,23 @@ xpmNextString(xpmData *data)
 	register char c;
 	/* get to the end of the current string */
 -	if (data->Eos)
 -	    while ((c = *data->cptr++) && c != data->Eos);
 +	if (data->Eos) {
 +	    while ((c = *data->cptr++) && c != data->Eos && c != '\0');
 +
 +	    if (c == '\0')
 +		return XpmFileInvalid;
 +	}
 	/*
 	 * then get to the beginning of the next string looking for possible
 	 * comment
 	 */
 	if (data->Bos) {
 -	    while ((c = *data->cptr++) && c != data->Bos)
 +	    while ((c = *data->cptr++) && c != data->Bos && c != '\0')
 		if (data->Bcmt && c == data->Bcmt[0])
 		    ParseComment(data);
 	} else if (data->Bcmt) {	/* XPM2 natural */
 -	    while ((c = *data->cptr++) == data->Bcmt[0])
 +	    while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
 		ParseComment(data);
 	    data->cptr--;
 	}
@@ -216,9 +220,13 @@ xpmNextString(xpmData *data)
 	FILE *file = data->stream.file;
 	/* get to the end of the current string */
 -	if (data->Eos)
 +	if (data->Eos) {
 	    while ((c = Getc(data, file)) != data->Eos && c != EOF);
 +	    if (c == EOF)
 +		return XpmFileInvalid;
 +	}
 +
 	/*
 	 * then get to the beginning of the next string looking for possible
 	 * comment
@@ -234,7 +242,7 @@ xpmNextString(xpmData *data)
 	    Ungetc(data, c, file);
 	}
     }
 -    return 0;
 +    return XpmSuccess;
 }
 diff --git a/src/parse.c b/src/parse.c
 index c19209c..e97d771 100644
 --- a/src/parse.c
 +++ b/src/parse.c
@@ -391,6 +391,13 @@ ParsePixels(
 {
     unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
     unsigned int a, x, y;
 +    int ErrorStatus;
 +
 +    if ((width == 0) && (height != 0))
 +	return (XpmFileInvalid);
 +
 +    if ((height == 0) && (width != 0))
 +	return (XpmFileInvalid);
     if ((height > 0 && width >= UINT_MAX / height) ||
 	width * height >= UINT_MAX / sizeof(unsigned int))
@@ -428,7 +435,11 @@ ParsePixels(
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
 	    for (y = 0; y < height; y++) {
 -		xpmNextString(data);
 +		ErrorStatus = xpmNextString(data);
 +		if (ErrorStatus != XpmSuccess) {
 +		    XpmFree(iptr2);
 +		    return (ErrorStatus);
 +		}
 		for (x = 0; x < width; x++, iptr++) {
 		    int c = xpmGetC(data);
@@ -475,7 +486,11 @@ do \
 	    }
 	    for (y = 0; y < height; y++) {
 -		xpmNextString(data);
 +		ErrorStatus = xpmNextString(data);
 +		if (ErrorStatus != XpmSuccess) {
 +		    XpmFree(iptr2);
 +		    return (ErrorStatus);
 +		}
 		for (x = 0; x < width; x++, iptr++) {
 		    int cc1 = xpmGetC(data);
 		    if (cc1 > 0 && cc1 < 256) {
@@ -515,7 +530,11 @@ do \
 		xpmHashAtom *slot;
 		for (y = 0; y < height; y++) {
 -		    xpmNextString(data);
 +		    ErrorStatus = xpmNextString(data);
 +		    if (ErrorStatus != XpmSuccess) {
 +			XpmFree(iptr2);
 +			return (ErrorStatus);
 +		    }
 		    for (x = 0; x < width; x++, iptr++) {
 			for (a = 0, s = buf; a < cpp; a++, s++) {
 			    int c = xpmGetC(data);
@@ -535,7 +554,11 @@ do \
 		}
 	    } else {
 		for (y = 0; y < height; y++) {
 -		    xpmNextString(data);
 +		    ErrorStatus = xpmNextString(data);
 +		    if (ErrorStatus != XpmSuccess) {
 +			XpmFree(iptr2);
 +			return (ErrorStatus);
 +		    }
 		    for (x = 0; x < width; x++, iptr++) {
 			for (a = 0, s = buf; a < cpp; a++, s++) {
 			    int c = xpmGetC(data);
 -- 
 2.39.0
--- a/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch
+++ b/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch
@ -1,39 +0,0 @@
 From 7cc2c568412ec63cc5efeec8edbdfc300c09835c Mon Sep 17 00:00:00 2001
 From: Matthieu Herrb <matthieu@herrb.eu>
 Date: Thu, 12 Jan 2023 15:05:39 +1000
 Subject: [PATCH libXpm 3/5] Prevent a double free in the error code path
 xpmParseDataAndCreate() calls XDestroyImage() in the error path.
 Reproducible with sxpm "zero-width.xpm", that file is in the test/
 directory.
 The same approach is needed in the bytes_per_line == 0 condition though
 here it just plugs a memory leak.
 ---
 src/create.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/src/create.c b/src/create.c
 index a750846..0f3735c 100644
 --- a/src/create.c
 +++ b/src/create.c
@@ -994,11 +994,15 @@ CreateXImage(
 #if !defined(FOR_MSW) && !defined(AMIGA)
     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
 	XDestroyImage(*image_return);
 +	*image_return = NULL;
 	return XpmNoMemory;
     }
     /* now that bytes_per_line must have been set properly alloc data */
 -    if((*image_return)->bytes_per_line == 0 ||  height == 0)
 +    if((*image_return)->bytes_per_line == 0 ||  height == 0) {
 +	XDestroyImage(*image_return);
 +	*image_return = NULL;
     	return XpmNoMemory;
 +    }
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
 -- 
 2.39.0
--- a/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch
+++ b/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch
@ -1,95 +0,0 @@
 From d51766c94c6dffa59c087b27b2b20b53ff957b98 Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Thu, 5 Jan 2023 15:42:36 -0800
 Subject: [PATCH libXpm 4/5] configure: add --disable-open-zfile instead of
 requiring -DNO_ZPIPE
 Documents the two compression options in the README, makes their
 configure options reflect the interdependency of their implementation,
 and makes the configure script report their configuration.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 README       | 15 +++++++++++++++
 configure.ac | 36 +++++++++++++++++++++++-------------
 2 files changed, 38 insertions(+), 13 deletions(-)
 diff --git a/README b/README
 index 9d14a39..f532bef 100644
 --- a/README
 +++ b/README
@@ -23,3 +23,18 @@ For more information on the git code manager, see:
         http://wiki.x.org/wiki/GitPage
 +------------------------------------------------------------------------------
 +
 +libXpm supports two optional features to handle compressed pixmap files.
 +
 +--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz
 +and open a pipe to the appropriate command to compress the file when writing
 +and uncompress the file when reading. This is enabled by default on platforms
 +other than MinGW and can be disabled by passing the --disable-open-zfile flag
 +to the configure script.
 +
 +--enable-stat-zfile make libXpm search for a file name with .Z or .gz added
 +if it can't find the file it was asked to open.  It relies on the
 +--enable-open-zfile feature to open the file, and is enabled by default
 +when --enable-open-zfile is enabled, and can be disabled by passing the
 +--disable-stat-zfile flag to the configure script.
 diff --git a/configure.ac b/configure.ac
 index 2feb9ff..4a8d6de 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -48,25 +48,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then
 fi
 AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
 +# Optional feature: When a filename ending in .Z or .gz is requested,
 +# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
 +# handle it.
 +AC_MSG_CHECKING([whether to handle compressed pixmaps])
 +case $host_os in
 +        *mingw*)        zpipe_default="no" ;;
 +        *)              zpipe_default="yes" ;;
 +esac
 +AC_ARG_ENABLE(open-zfile,
 +        AS_HELP_STRING([--enable-open-zfile],
 +                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
 +              [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes])
 +AC_MSG_RESULT([$OPEN_ZFILE])
 +if test x$OPEN_ZFILE = xno ; then
 +        AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
 +fi
 +
 # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
 # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
 +AC_MSG_CHECKING([whether to search for compressed pixmaps])
 AC_ARG_ENABLE(stat-zfile,
 -	AS_HELP_STRING([--enable-stat-zfile],
 -			[Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]),
 -              [STAT_ZFILE=$enableval], [STAT_ZFILE=yes])
 +        AS_HELP_STRING([--enable-stat-zfile],
 +                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
 +              [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE])
 +AC_MSG_RESULT([$STAT_ZFILE])
 if test x$STAT_ZFILE = xyes ; then
 -	AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
 +        AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
 fi
 -
 -case $host_os in
 -	*mingw*)
 -                AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
 -	;;
 -	*)
 -	;;
 -esac
 -
 AC_CONFIG_FILES([Makefile
                  doc/Makefile
                  include/Makefile
 -- 
 2.39.0
--- a/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+++ b/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
@ -1,144 +0,0 @@
 From 66854ee1d187095186ae718979baf771c177002a Mon Sep 17 00:00:00 2001
 From: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date: Fri, 6 Jan 2023 12:50:48 -0800
 Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on
 $PATH
 By default, on all platforms except MinGW, libXpm will detect if a
 filename ends in .Z or .gz, and will when reading such a file fork off
 an uncompress or gunzip command to read from via a pipe, and when
 writing such a file will fork off a compress or gzip command to write
 to via a pipe.
 In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
 to find the commands.  If libXpm is called from a program running with
 raised privileges, such as via setuid, then a malicious user could set
 $PATH to include programs of their choosing to be run with those
 privileges.
 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 ---
 README       | 12 ++++++++++++
 configure.ac | 14 ++++++++++++++
 src/RdFToI.c | 17 ++++++++++++++---
 src/WrFFrI.c |  4 ++--
 4 files changed, 42 insertions(+), 5 deletions(-)
 diff --git a/README b/README
 index f532bef..c7d6dbf 100644
 --- a/README
 +++ b/README
@@ -38,3 +38,15 @@ if it can't find the file it was asked to open.  It relies on the
 --enable-open-zfile feature to open the file, and is enabled by default
 when --enable-open-zfile is enabled, and can be disabled by passing the
 --disable-stat-zfile flag to the configure script.
 +
 +All of these commands will be executed with whatever userid & privileges the
 +function is called with, relying on the caller to ensure the correct euid,
 +egid, etc. are set before calling.
 +
 +To reduce risk, the paths to these commands are now set at configure time to
 +the first version found in the PATH used to run configure, and do not depend
 +on the PATH environment variable set at runtime.
 +
 +To specify paths to be used for these commands instead of searching $PATH, pass
 +the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
 +variables to the configure command.
 diff --git a/configure.ac b/configure.ac
 index 4a8d6de..c1da348 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
 fi
 AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
 +dnl Helper macro to find absolute path to program and add a #define for it
 +AC_DEFUN([XPM_PATH_PROG],[
 +AC_PATH_PROG([$1], [$2], [])
 +AS_IF([test "x$$1" = "x"],
 +      [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])])
 +AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
 +]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
 +
 # Optional feature: When a filename ending in .Z or .gz is requested,
 # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
 # handle it.
@@ -63,6 +71,12 @@ AC_ARG_ENABLE(open-zfile,
 AC_MSG_RESULT([$OPEN_ZFILE])
 if test x$OPEN_ZFILE = xno ; then
         AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
 +else
 +        XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
 +        XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
 +        XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
 +        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
 +        AC_CHECK_FUNCS([closefrom close_range], [break])
 fi
 # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
 diff --git a/src/RdFToI.c b/src/RdFToI.c
 index bd09611..a91d337 100644
 --- a/src/RdFToI.c
 +++ b/src/RdFToI.c
@@ -43,6 +43,7 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/wait.h>
 +#include <unistd.h>
 #else
 #ifdef FOR_MSW
 #include <fcntl.h>
@@ -161,7 +162,17 @@ xpmPipeThrough(
 	    goto err;
 	if ( 0 == pid )
 	{
 -	    execlp(cmd, cmd, arg1, (char *)NULL);
 +#ifdef HAVE_CLOSEFROM
 +	    closefrom(3);
 +#elif defined(HAVE_CLOSE_RANGE)
 +# ifdef CLOSE_RANGE_UNSHARE
 +#  define close_range_flags CLOSE_RANGE_UNSHARE
 +# else
 +#  define close_range_flags 0
 +#endif
 +	    close_range(3, ~0U, close_range_flags);
 +#endif
 +	    execl(cmd, cmd, arg1, (char *)NULL);
 	    perror(cmd);
 	    goto err;
 	}
@@ -235,12 +246,12 @@ OpenReadFile(
 	if ( ext && !strcmp(ext, ".Z") )
 	{
 	    mdata->type = XPMPIPE;
 -	    mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
 	}
 	else if ( ext && !strcmp(ext, ".gz") )
 	{
 	    mdata->type = XPMPIPE;
 -	    mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
 	}
 	else
 #endif /* z-files */
 diff --git a/src/WrFFrI.c b/src/WrFFrI.c
 index 067c96b..bc38f66 100644
 --- a/src/WrFFrI.c
 +++ b/src/WrFFrI.c
@@ -336,10 +336,10 @@ OpenWriteFile(
 #ifndef NO_ZPIPE
 	len = strlen(filename);
 	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
 -	    mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w");
 	    mdata->type = XPMPIPE;
 	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
 -	    mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
 	    mdata->type = XPMPIPE;
 	} else
 #endif
 -- 
 2.39.0
--- a/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch
+++ b/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch
@ -1,67 +0,0 @@
 From 8b52b950360cd7224f504f294997f3a9d7e18b91 Mon Sep 17 00:00:00 2001
 From: Peter Hutterer <peter.hutterer@who-t.net>
 Date: Mon, 16 Jan 2023 19:44:52 +1000
 Subject: [PATCH libXpm] Use gzip -d instead of gunzip
 GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
 /usr/bin/gunzip with the correct built-in path, the actual gzip call
 will use whichever gzip it finds first, making our patch pointless.
 Fix this by explicitly calling gzip -d instead.
 https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
 Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
 ---
 README       | 2 +-
 configure.ac | 3 +--
 src/RdFToI.c | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)
 diff --git a/README b/README
 index c7d6dbf..d4c7212 100644
 --- a/README
 +++ b/README
@@ -48,5 +48,5 @@ the first version found in the PATH used to run configure, and do not depend
 on the PATH environment variable set at runtime.
 To specify paths to be used for these commands instead of searching $PATH, pass
 -the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
 +the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP
 variables to the configure command.
 diff --git a/configure.ac b/configure.ac
 index c1da348..74d9856 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -57,7 +57,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
 ]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
 # Optional feature: When a filename ending in .Z or .gz is requested,
 -# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
 +# open a pipe to a newly forked compress/uncompress/gzip command to
 # handle it.
 AC_MSG_CHECKING([whether to handle compressed pixmaps])
 case $host_os in
@@ -75,7 +75,6 @@ else
         XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
         XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
         XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
 -        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
         AC_CHECK_FUNCS([closefrom close_range], [break])
 fi
 diff --git a/src/RdFToI.c b/src/RdFToI.c
 index a91d337..141c485 100644
 --- a/src/RdFToI.c
 +++ b/src/RdFToI.c
@@ -251,7 +251,7 @@ OpenReadFile(
 	else if ( ext && !strcmp(ext, ".gz") )
 	{
 	    mdata->type = XPMPIPE;
 -	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
 +	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r");
 	}
 	else
 #endif /* z-files */
 -- 
 2.39.0
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}
--- a/SPECS/libXpm.spec
+++ b/SPECS/libXpm.spec
@ -1,41 +1,23 @@
 Summary: X.Org X11 libXpm runtime library
 Name: libXpm
-Version: 3.5.12
+Version: 3.5.17
-Release: 11%{?dist}
+Release: 5%{?dist}
-License: MIT
+License: MIT AND X11-distribute-modifications-variant
 Group: System Environment/Libraries
 URL: http://www.x.org
-Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2
+Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.xz
 BuildRequires: xorg-x11-util-macros
-BuildRequires: autoconf automake libtool
+BuildRequires: autoconf automake libtool make
 BuildRequires: gettext
 BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau)
 BuildRequires: ncompress gzip
 Patch0: 0001-After-fdopen-use-fclose-instead-of-close-in-error-pa.patch
 # CVE-2022-46285
 Patch0001: 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
 # CVE-2022-44617
 Patch0002: 0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
 Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch
 # CVE-2022-4883
 Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
 Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
 Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
 # CVE-2023-43788
 Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
 # CVE-2023-43789
 Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
 %description
 X.Org X11 libXpm runtime library
 %package devel
 Summary: X.Org X11 libXpm development package
 Group: Development/Libraries
 Requires: %{name} = %{version}-%{release}
 %description devel
@ -43,15 +25,6 @@ X.Org X11 libXpm development package
 %prep
 %setup -q
 %patch0 -p1 -b .covscan
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %patch0004 -p1
 %patch0005 -p1
 %patch0006 -p1
 %patch0007 -p1
 %patch0008 -p1
 %build
 autoreconf -v --install --force
@ -80,29 +53,76 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 %{_includedir}/X11/xpm.h
 %{_libdir}/libXpm.so
 %{_libdir}/pkgconfig/xpm.pc
 #%dir %{_mandir}/man1x
 %{_mandir}/man1/*.1*
-#%{_mandir}/man1/*.1x*
+%{_mandir}/man3/*.3*
 %changelog
-* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-11
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.5.17-5
- Drop hardening patches from previous version to keep ABI compatibility
+- Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
-* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-10
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.5.17-4
- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
+- Bump release for June 2024 mass rebuild
  in PutSubImage()
 - CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
  a heap overflow
 - CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
 - CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
-* Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.12-9
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.17-3
- Fix CVE-2022-46285: infinite loop on unclosed comments (#2160229)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 - Fix CVE-2022-44617: runaway loop with width of 0 (#2160231)
 - Fix CVE-2022-4883: compression depends on $PATH (#2160239)
-* Mon Dec 09 2019 Benjamin Tissoires <benjamin.tissoires@redhat.com> 3.5.12-8
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.17-2
- add covscan fixes (#1602606)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Thu Oct 05 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.17-1
 - libXpm 3.5.17
 * Wed Sep 06 2023 Benjamin Tissoires <benjamin.tissoires@redhat.com> - 3.5.15-5
 - SPDX migration
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.15-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.15-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Wed Jan 18 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.15-2
 - Add missing BuildRequires
 * Wed Jan 18 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.15-1
 - libXpm 3.5.15, fixes CVE-2022-46285, CVE-2022-44617, CVE-2022-4883
 * Wed Jan 11 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.14-1
 - libXpm 3.5.14
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Jan 05 2021 Peter Hutterer <peter.hutterer@redhat.com> 3.5.13-4
 - Add make to BuildRequires
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Fri Dec 13 2019 Peter Hutterer <peter.hutterer@redhat.com> 3.5.13-1
 - libXpm 3.5.13
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Thu Jul 05 2018 Adam Jackson <ajax@redhat.com> - 3.5.12-7
 - Drop useless %%defattr
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (libXpm-3.5.17.tar.xz) = 52f9d2664a47a26c1a6ad65d18867de870b66947b0b0d99cca3512756a0aaa6ce2a245c0b49f20b70c3ce48bf04c47c333e8119a147465c277bca727f6ab017e
`@ -1 +1 @@`
	`SOURCES/libXpm-3.5.12.tar.bz2`	`/libXpm-*.tar.xz`
		`@ -1 +0,0 @@`
			`4e22fefe61714209539b08051b5287bcd9ecfd04 SOURCES/libXpm-3.5.12.tar.bz2`
		`@ -0,0 +1 @@`
							`SHA512 (libXpm-3.5.17.tar.xz) = 52f9d2664a47a26c1a6ad65d18867de870b66947b0b0d99cca3512756a0aaa6ce2a245c0b49f20b70c3ce48bf04c47c333e8119a147465c277bca727f6ab017e`