Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/libXpm-3.5.12.tar.bz2
|
||||
/libXpm-*.tar.xz
|
||||
|
@ -1 +0,0 @@
|
||||
4e22fefe61714209539b08051b5287bcd9ecfd04 SOURCES/libXpm-3.5.12.tar.bz2
|
@ -1,40 +0,0 @@
|
||||
From e00066fb973a1796dd3989e356e17c8b51add521 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sun, 30 Sep 2018 15:09:29 -0700
|
||||
Subject: [PATCH 1/3] After fdopen(), use fclose() instead of close() in error
|
||||
path
|
||||
|
||||
Found by Oracle's Parfait 2.2 static analyzer:
|
||||
|
||||
Error: File Leak
|
||||
File Leak [file-ptr-leak]:
|
||||
Leaked File fp
|
||||
at line 94 of lib/libXpm/src/RdFToBuf.c in function 'XpmReadFileToBuffer
|
||||
'.
|
||||
fp initialized at line 86 with fdopen
|
||||
fp leaks when len < 0 at line 92.
|
||||
|
||||
Introduced-by: commit 8b3024e6871ce50b34bf2dff924774bd654703bc
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
src/RdFToBuf.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/RdFToBuf.c b/src/RdFToBuf.c
|
||||
index 69e3347d24f2..1b386f81fde3 100644
|
||||
--- a/src/RdFToBuf.c
|
||||
+++ b/src/RdFToBuf.c
|
||||
@@ -90,7 +90,7 @@ XpmReadFileToBuffer(
|
||||
}
|
||||
len = stats.st_size;
|
||||
if (len < 0 || len >= SIZE_MAX) {
|
||||
- close(fd);
|
||||
+ fclose(fp);
|
||||
return XpmOpenFailed;
|
||||
}
|
||||
ptr = (char *) XpmMalloc(len + 1);
|
||||
--
|
||||
2.23.0
|
||||
|
@ -1,37 +0,0 @@
|
||||
From ec75b3393506a6f71a477ac3982b31a48a42c196 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 17 Dec 2022 12:23:45 -0800
|
||||
Subject: [PATCH libXpm 1/5] Fix CVE-2022-46285: Infinite loop on unclosed
|
||||
comments
|
||||
|
||||
When reading XPM images from a file with libXpm 3.5.14 or older, if a
|
||||
comment in the file is not closed (i.e. a C-style comment starts with
|
||||
"/*" and is missing the closing "*/"), the ParseComment() function will
|
||||
loop forever calling getc() to try to read the rest of the comment,
|
||||
failing to notice that it has returned EOF, which may cause a denial of
|
||||
service to the calling program.
|
||||
|
||||
Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/data.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/data.c b/src/data.c
|
||||
index 898889c..bfad4ff 100644
|
||||
--- a/src/data.c
|
||||
+++ b/src/data.c
|
||||
@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
|
||||
notend = 0;
|
||||
Ungetc(data, *s, file);
|
||||
}
|
||||
+ else if (c == EOF) {
|
||||
+ /* hit end of file before the end of the comment */
|
||||
+ return XpmFileInvalid;
|
||||
+ }
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 29 Apr 2023 17:50:39 -0700
|
||||
Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
|
||||
XpmCreateXpmImageFromBuffer
|
||||
|
||||
When the test case for CVE-2022-46285 was run with the Address Sanitizer
|
||||
enabled, it found an out-of-bounds read in ParseComment() when reading
|
||||
from a memory buffer instead of a file, as it continued to look for the
|
||||
closing comment marker past the end of the buffer.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/data.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/data.c b/src/data.c
|
||||
index 7524e65..0b0f1f3 100644
|
||||
--- a/src/data.c
|
||||
+++ b/src/data.c
|
||||
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
|
||||
n++;
|
||||
s2++;
|
||||
} while (c == *s2 && *s2 != '\0' && c);
|
||||
- if (*s2 == '\0') {
|
||||
+ if (*s2 == '\0' || c == '\0') {
|
||||
/* this is the end of the comment */
|
||||
notend = 0;
|
||||
data->cptr--;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 29 Apr 2023 18:30:34 -0700
|
||||
Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
|
||||
colormap
|
||||
|
||||
Found with clang's libfuzzer
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/data.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/data.c b/src/data.c
|
||||
index 0b0f1f3..6e87455 100644
|
||||
--- a/src/data.c
|
||||
+++ b/src/data.c
|
||||
@@ -259,13 +259,13 @@ xpmNextWord(
|
||||
int c;
|
||||
|
||||
if (!data->type || data->type == XPMBUFFER) {
|
||||
- while (isspace(c = *data->cptr) && c != data->Eos)
|
||||
+ while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
|
||||
data->cptr++;
|
||||
do {
|
||||
c = *data->cptr++;
|
||||
*buf++ = c;
|
||||
n++;
|
||||
- } while (!isspace(c) && c != data->Eos && n < buflen);
|
||||
+ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
|
||||
n--;
|
||||
data->cptr--;
|
||||
} else {
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,151 +0,0 @@
|
||||
From 52603840b1c5d923cc998335fb651a53d42a036c Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 7 Jan 2023 12:44:28 -0800
|
||||
Subject: [PATCH libXpm 2/5] Fix CVE-2022-44617: Runaway loop with width of 0
|
||||
and enormous height
|
||||
|
||||
When reading XPM images from a file with libXpm 3.5.14 or older, if a
|
||||
image has a width of 0 and a very large height, the ParsePixels() function
|
||||
will loop over the entire height calling getc() and ungetc() repeatedly,
|
||||
or in some circumstances, may loop seemingly forever, which may cause a
|
||||
denial of service to the calling program when given a small crafted XPM
|
||||
file to parse.
|
||||
|
||||
Closes: #2
|
||||
|
||||
Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
src/data.c | 20 ++++++++++++++------
|
||||
src/parse.c | 31 +++++++++++++++++++++++++++----
|
||||
2 files changed, 41 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/src/data.c b/src/data.c
|
||||
index bfad4ff..7524e65 100644
|
||||
--- a/src/data.c
|
||||
+++ b/src/data.c
|
||||
@@ -195,19 +195,23 @@ xpmNextString(xpmData *data)
|
||||
register char c;
|
||||
|
||||
/* get to the end of the current string */
|
||||
- if (data->Eos)
|
||||
- while ((c = *data->cptr++) && c != data->Eos);
|
||||
+ if (data->Eos) {
|
||||
+ while ((c = *data->cptr++) && c != data->Eos && c != '\0');
|
||||
+
|
||||
+ if (c == '\0')
|
||||
+ return XpmFileInvalid;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* then get to the beginning of the next string looking for possible
|
||||
* comment
|
||||
*/
|
||||
if (data->Bos) {
|
||||
- while ((c = *data->cptr++) && c != data->Bos)
|
||||
+ while ((c = *data->cptr++) && c != data->Bos && c != '\0')
|
||||
if (data->Bcmt && c == data->Bcmt[0])
|
||||
ParseComment(data);
|
||||
} else if (data->Bcmt) { /* XPM2 natural */
|
||||
- while ((c = *data->cptr++) == data->Bcmt[0])
|
||||
+ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
|
||||
ParseComment(data);
|
||||
data->cptr--;
|
||||
}
|
||||
@@ -216,9 +220,13 @@ xpmNextString(xpmData *data)
|
||||
FILE *file = data->stream.file;
|
||||
|
||||
/* get to the end of the current string */
|
||||
- if (data->Eos)
|
||||
+ if (data->Eos) {
|
||||
while ((c = Getc(data, file)) != data->Eos && c != EOF);
|
||||
|
||||
+ if (c == EOF)
|
||||
+ return XpmFileInvalid;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* then get to the beginning of the next string looking for possible
|
||||
* comment
|
||||
@@ -234,7 +242,7 @@ xpmNextString(xpmData *data)
|
||||
Ungetc(data, c, file);
|
||||
}
|
||||
}
|
||||
- return 0;
|
||||
+ return XpmSuccess;
|
||||
}
|
||||
|
||||
|
||||
diff --git a/src/parse.c b/src/parse.c
|
||||
index c19209c..e97d771 100644
|
||||
--- a/src/parse.c
|
||||
+++ b/src/parse.c
|
||||
@@ -391,6 +391,13 @@ ParsePixels(
|
||||
{
|
||||
unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
|
||||
unsigned int a, x, y;
|
||||
+ int ErrorStatus;
|
||||
+
|
||||
+ if ((width == 0) && (height != 0))
|
||||
+ return (XpmFileInvalid);
|
||||
+
|
||||
+ if ((height == 0) && (width != 0))
|
||||
+ return (XpmFileInvalid);
|
||||
|
||||
if ((height > 0 && width >= UINT_MAX / height) ||
|
||||
width * height >= UINT_MAX / sizeof(unsigned int))
|
||||
@@ -428,7 +435,11 @@ ParsePixels(
|
||||
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
|
||||
|
||||
for (y = 0; y < height; y++) {
|
||||
- xpmNextString(data);
|
||||
+ ErrorStatus = xpmNextString(data);
|
||||
+ if (ErrorStatus != XpmSuccess) {
|
||||
+ XpmFree(iptr2);
|
||||
+ return (ErrorStatus);
|
||||
+ }
|
||||
for (x = 0; x < width; x++, iptr++) {
|
||||
int c = xpmGetC(data);
|
||||
|
||||
@@ -475,7 +486,11 @@ do \
|
||||
}
|
||||
|
||||
for (y = 0; y < height; y++) {
|
||||
- xpmNextString(data);
|
||||
+ ErrorStatus = xpmNextString(data);
|
||||
+ if (ErrorStatus != XpmSuccess) {
|
||||
+ XpmFree(iptr2);
|
||||
+ return (ErrorStatus);
|
||||
+ }
|
||||
for (x = 0; x < width; x++, iptr++) {
|
||||
int cc1 = xpmGetC(data);
|
||||
if (cc1 > 0 && cc1 < 256) {
|
||||
@@ -515,7 +530,11 @@ do \
|
||||
xpmHashAtom *slot;
|
||||
|
||||
for (y = 0; y < height; y++) {
|
||||
- xpmNextString(data);
|
||||
+ ErrorStatus = xpmNextString(data);
|
||||
+ if (ErrorStatus != XpmSuccess) {
|
||||
+ XpmFree(iptr2);
|
||||
+ return (ErrorStatus);
|
||||
+ }
|
||||
for (x = 0; x < width; x++, iptr++) {
|
||||
for (a = 0, s = buf; a < cpp; a++, s++) {
|
||||
int c = xpmGetC(data);
|
||||
@@ -535,7 +554,11 @@ do \
|
||||
}
|
||||
} else {
|
||||
for (y = 0; y < height; y++) {
|
||||
- xpmNextString(data);
|
||||
+ ErrorStatus = xpmNextString(data);
|
||||
+ if (ErrorStatus != XpmSuccess) {
|
||||
+ XpmFree(iptr2);
|
||||
+ return (ErrorStatus);
|
||||
+ }
|
||||
for (x = 0; x < width; x++, iptr++) {
|
||||
for (a = 0, s = buf; a < cpp; a++, s++) {
|
||||
int c = xpmGetC(data);
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,39 +0,0 @@
|
||||
From 7cc2c568412ec63cc5efeec8edbdfc300c09835c Mon Sep 17 00:00:00 2001
|
||||
From: Matthieu Herrb <matthieu@herrb.eu>
|
||||
Date: Thu, 12 Jan 2023 15:05:39 +1000
|
||||
Subject: [PATCH libXpm 3/5] Prevent a double free in the error code path
|
||||
|
||||
xpmParseDataAndCreate() calls XDestroyImage() in the error path.
|
||||
Reproducible with sxpm "zero-width.xpm", that file is in the test/
|
||||
directory.
|
||||
|
||||
The same approach is needed in the bytes_per_line == 0 condition though
|
||||
here it just plugs a memory leak.
|
||||
---
|
||||
src/create.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/create.c b/src/create.c
|
||||
index a750846..0f3735c 100644
|
||||
--- a/src/create.c
|
||||
+++ b/src/create.c
|
||||
@@ -994,11 +994,15 @@ CreateXImage(
|
||||
#if !defined(FOR_MSW) && !defined(AMIGA)
|
||||
if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
|
||||
XDestroyImage(*image_return);
|
||||
+ *image_return = NULL;
|
||||
return XpmNoMemory;
|
||||
}
|
||||
/* now that bytes_per_line must have been set properly alloc data */
|
||||
- if((*image_return)->bytes_per_line == 0 || height == 0)
|
||||
+ if((*image_return)->bytes_per_line == 0 || height == 0) {
|
||||
+ XDestroyImage(*image_return);
|
||||
+ *image_return = NULL;
|
||||
return XpmNoMemory;
|
||||
+ }
|
||||
(*image_return)->data =
|
||||
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
|
||||
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,95 +0,0 @@
|
||||
From d51766c94c6dffa59c087b27b2b20b53ff957b98 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Thu, 5 Jan 2023 15:42:36 -0800
|
||||
Subject: [PATCH libXpm 4/5] configure: add --disable-open-zfile instead of
|
||||
requiring -DNO_ZPIPE
|
||||
|
||||
Documents the two compression options in the README, makes their
|
||||
configure options reflect the interdependency of their implementation,
|
||||
and makes the configure script report their configuration.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
README | 15 +++++++++++++++
|
||||
configure.ac | 36 +++++++++++++++++++++++-------------
|
||||
2 files changed, 38 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/README b/README
|
||||
index 9d14a39..f532bef 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -23,3 +23,18 @@ For more information on the git code manager, see:
|
||||
|
||||
http://wiki.x.org/wiki/GitPage
|
||||
|
||||
+------------------------------------------------------------------------------
|
||||
+
|
||||
+libXpm supports two optional features to handle compressed pixmap files.
|
||||
+
|
||||
+--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz
|
||||
+and open a pipe to the appropriate command to compress the file when writing
|
||||
+and uncompress the file when reading. This is enabled by default on platforms
|
||||
+other than MinGW and can be disabled by passing the --disable-open-zfile flag
|
||||
+to the configure script.
|
||||
+
|
||||
+--enable-stat-zfile make libXpm search for a file name with .Z or .gz added
|
||||
+if it can't find the file it was asked to open. It relies on the
|
||||
+--enable-open-zfile feature to open the file, and is enabled by default
|
||||
+when --enable-open-zfile is enabled, and can be disabled by passing the
|
||||
+--disable-stat-zfile flag to the configure script.
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 2feb9ff..4a8d6de 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -48,25 +48,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then
|
||||
fi
|
||||
AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
|
||||
|
||||
+# Optional feature: When a filename ending in .Z or .gz is requested,
|
||||
+# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
|
||||
+# handle it.
|
||||
+AC_MSG_CHECKING([whether to handle compressed pixmaps])
|
||||
+case $host_os in
|
||||
+ *mingw*) zpipe_default="no" ;;
|
||||
+ *) zpipe_default="yes" ;;
|
||||
+esac
|
||||
+AC_ARG_ENABLE(open-zfile,
|
||||
+ AS_HELP_STRING([--enable-open-zfile],
|
||||
+ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
|
||||
+ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes])
|
||||
+AC_MSG_RESULT([$OPEN_ZFILE])
|
||||
+if test x$OPEN_ZFILE = xno ; then
|
||||
+ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
|
||||
+fi
|
||||
+
|
||||
# Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
|
||||
# Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
|
||||
+AC_MSG_CHECKING([whether to search for compressed pixmaps])
|
||||
AC_ARG_ENABLE(stat-zfile,
|
||||
- AS_HELP_STRING([--enable-stat-zfile],
|
||||
- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]),
|
||||
- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes])
|
||||
+ AS_HELP_STRING([--enable-stat-zfile],
|
||||
+ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
|
||||
+ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE])
|
||||
+AC_MSG_RESULT([$STAT_ZFILE])
|
||||
if test x$STAT_ZFILE = xyes ; then
|
||||
- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
|
||||
+ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
|
||||
fi
|
||||
|
||||
-
|
||||
-case $host_os in
|
||||
- *mingw*)
|
||||
- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
|
||||
- ;;
|
||||
- *)
|
||||
- ;;
|
||||
-esac
|
||||
-
|
||||
AC_CONFIG_FILES([Makefile
|
||||
doc/Makefile
|
||||
include/Makefile
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,144 +0,0 @@
|
||||
From 66854ee1d187095186ae718979baf771c177002a Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 6 Jan 2023 12:50:48 -0800
|
||||
Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on
|
||||
$PATH
|
||||
|
||||
By default, on all platforms except MinGW, libXpm will detect if a
|
||||
filename ends in .Z or .gz, and will when reading such a file fork off
|
||||
an uncompress or gunzip command to read from via a pipe, and when
|
||||
writing such a file will fork off a compress or gzip command to write
|
||||
to via a pipe.
|
||||
|
||||
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
|
||||
to find the commands. If libXpm is called from a program running with
|
||||
raised privileges, such as via setuid, then a malicious user could set
|
||||
$PATH to include programs of their choosing to be run with those
|
||||
privileges.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
README | 12 ++++++++++++
|
||||
configure.ac | 14 ++++++++++++++
|
||||
src/RdFToI.c | 17 ++++++++++++++---
|
||||
src/WrFFrI.c | 4 ++--
|
||||
4 files changed, 42 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/README b/README
|
||||
index f532bef..c7d6dbf 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -38,3 +38,15 @@ if it can't find the file it was asked to open. It relies on the
|
||||
--enable-open-zfile feature to open the file, and is enabled by default
|
||||
when --enable-open-zfile is enabled, and can be disabled by passing the
|
||||
--disable-stat-zfile flag to the configure script.
|
||||
+
|
||||
+All of these commands will be executed with whatever userid & privileges the
|
||||
+function is called with, relying on the caller to ensure the correct euid,
|
||||
+egid, etc. are set before calling.
|
||||
+
|
||||
+To reduce risk, the paths to these commands are now set at configure time to
|
||||
+the first version found in the PATH used to run configure, and do not depend
|
||||
+on the PATH environment variable set at runtime.
|
||||
+
|
||||
+To specify paths to be used for these commands instead of searching $PATH, pass
|
||||
+the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
|
||||
+variables to the configure command.
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 4a8d6de..c1da348 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
|
||||
fi
|
||||
AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
|
||||
|
||||
+dnl Helper macro to find absolute path to program and add a #define for it
|
||||
+AC_DEFUN([XPM_PATH_PROG],[
|
||||
+AC_PATH_PROG([$1], [$2], [])
|
||||
+AS_IF([test "x$$1" = "x"],
|
||||
+ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])])
|
||||
+AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
|
||||
+]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
|
||||
+
|
||||
# Optional feature: When a filename ending in .Z or .gz is requested,
|
||||
# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
|
||||
# handle it.
|
||||
@@ -63,6 +71,12 @@ AC_ARG_ENABLE(open-zfile,
|
||||
AC_MSG_RESULT([$OPEN_ZFILE])
|
||||
if test x$OPEN_ZFILE = xno ; then
|
||||
AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
|
||||
+else
|
||||
+ XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
|
||||
+ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
|
||||
+ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
|
||||
+ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
|
||||
+ AC_CHECK_FUNCS([closefrom close_range], [break])
|
||||
fi
|
||||
|
||||
# Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
|
||||
diff --git a/src/RdFToI.c b/src/RdFToI.c
|
||||
index bd09611..a91d337 100644
|
||||
--- a/src/RdFToI.c
|
||||
+++ b/src/RdFToI.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <errno.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
+#include <unistd.h>
|
||||
#else
|
||||
#ifdef FOR_MSW
|
||||
#include <fcntl.h>
|
||||
@@ -161,7 +162,17 @@ xpmPipeThrough(
|
||||
goto err;
|
||||
if ( 0 == pid )
|
||||
{
|
||||
- execlp(cmd, cmd, arg1, (char *)NULL);
|
||||
+#ifdef HAVE_CLOSEFROM
|
||||
+ closefrom(3);
|
||||
+#elif defined(HAVE_CLOSE_RANGE)
|
||||
+# ifdef CLOSE_RANGE_UNSHARE
|
||||
+# define close_range_flags CLOSE_RANGE_UNSHARE
|
||||
+# else
|
||||
+# define close_range_flags 0
|
||||
+#endif
|
||||
+ close_range(3, ~0U, close_range_flags);
|
||||
+#endif
|
||||
+ execl(cmd, cmd, arg1, (char *)NULL);
|
||||
perror(cmd);
|
||||
goto err;
|
||||
}
|
||||
@@ -235,12 +246,12 @@ OpenReadFile(
|
||||
if ( ext && !strcmp(ext, ".Z") )
|
||||
{
|
||||
mdata->type = XPMPIPE;
|
||||
- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
|
||||
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
|
||||
}
|
||||
else if ( ext && !strcmp(ext, ".gz") )
|
||||
{
|
||||
mdata->type = XPMPIPE;
|
||||
- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
|
||||
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
|
||||
}
|
||||
else
|
||||
#endif /* z-files */
|
||||
diff --git a/src/WrFFrI.c b/src/WrFFrI.c
|
||||
index 067c96b..bc38f66 100644
|
||||
--- a/src/WrFFrI.c
|
||||
+++ b/src/WrFFrI.c
|
||||
@@ -336,10 +336,10 @@ OpenWriteFile(
|
||||
#ifndef NO_ZPIPE
|
||||
len = strlen(filename);
|
||||
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
|
||||
- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
|
||||
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w");
|
||||
mdata->type = XPMPIPE;
|
||||
} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
|
||||
- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
|
||||
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
|
||||
mdata->type = XPMPIPE;
|
||||
} else
|
||||
#endif
|
||||
--
|
||||
2.39.0
|
||||
|
@ -1,67 +0,0 @@
|
||||
From 8b52b950360cd7224f504f294997f3a9d7e18b91 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
Date: Mon, 16 Jan 2023 19:44:52 +1000
|
||||
Subject: [PATCH libXpm] Use gzip -d instead of gunzip
|
||||
|
||||
GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
|
||||
/usr/bin/gunzip with the correct built-in path, the actual gzip call
|
||||
will use whichever gzip it finds first, making our patch pointless.
|
||||
|
||||
Fix this by explicitly calling gzip -d instead.
|
||||
|
||||
https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
|
||||
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||||
---
|
||||
README | 2 +-
|
||||
configure.ac | 3 +--
|
||||
src/RdFToI.c | 2 +-
|
||||
3 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/README b/README
|
||||
index c7d6dbf..d4c7212 100644
|
||||
--- a/README
|
||||
+++ b/README
|
||||
@@ -48,5 +48,5 @@ the first version found in the PATH used to run configure, and do not depend
|
||||
on the PATH environment variable set at runtime.
|
||||
|
||||
To specify paths to be used for these commands instead of searching $PATH, pass
|
||||
-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
|
||||
+the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP
|
||||
variables to the configure command.
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index c1da348..74d9856 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -57,7 +57,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
|
||||
]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
|
||||
|
||||
# Optional feature: When a filename ending in .Z or .gz is requested,
|
||||
-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
|
||||
+# open a pipe to a newly forked compress/uncompress/gzip command to
|
||||
# handle it.
|
||||
AC_MSG_CHECKING([whether to handle compressed pixmaps])
|
||||
case $host_os in
|
||||
@@ -75,7 +75,6 @@ else
|
||||
XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
|
||||
XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
|
||||
XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
|
||||
- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
|
||||
AC_CHECK_FUNCS([closefrom close_range], [break])
|
||||
fi
|
||||
|
||||
diff --git a/src/RdFToI.c b/src/RdFToI.c
|
||||
index a91d337..141c485 100644
|
||||
--- a/src/RdFToI.c
|
||||
+++ b/src/RdFToI.c
|
||||
@@ -251,7 +251,7 @@ OpenReadFile(
|
||||
else if ( ext && !strcmp(ext, ".gz") )
|
||||
{
|
||||
mdata->type = XPMPIPE;
|
||||
- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
|
||||
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r");
|
||||
}
|
||||
else
|
||||
#endif /* z-files */
|
||||
--
|
||||
2.39.0
|
||||
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-10
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}
|
@ -1,41 +1,23 @@
|
||||
Summary: X.Org X11 libXpm runtime library
|
||||
Name: libXpm
|
||||
Version: 3.5.12
|
||||
Release: 11%{?dist}
|
||||
License: MIT
|
||||
Group: System Environment/Libraries
|
||||
Version: 3.5.17
|
||||
Release: 5%{?dist}
|
||||
License: MIT AND X11-distribute-modifications-variant
|
||||
URL: http://www.x.org
|
||||
|
||||
Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2
|
||||
Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.xz
|
||||
|
||||
BuildRequires: xorg-x11-util-macros
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: autoconf automake libtool make
|
||||
BuildRequires: gettext
|
||||
BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau)
|
||||
BuildRequires: ncompress gzip
|
||||
|
||||
Patch0: 0001-After-fdopen-use-fclose-instead-of-close-in-error-pa.patch
|
||||
|
||||
# CVE-2022-46285
|
||||
Patch0001: 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
|
||||
# CVE-2022-44617
|
||||
Patch0002: 0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
|
||||
Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch
|
||||
# CVE-2022-4883
|
||||
Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch
|
||||
Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
|
||||
Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch
|
||||
# CVE-2023-43788
|
||||
Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
|
||||
# CVE-2023-43789
|
||||
Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
|
||||
|
||||
%description
|
||||
X.Org X11 libXpm runtime library
|
||||
|
||||
%package devel
|
||||
Summary: X.Org X11 libXpm development package
|
||||
Group: Development/Libraries
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description devel
|
||||
@ -43,15 +25,6 @@ X.Org X11 libXpm development package
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .covscan
|
||||
%patch0001 -p1
|
||||
%patch0002 -p1
|
||||
%patch0003 -p1
|
||||
%patch0004 -p1
|
||||
%patch0005 -p1
|
||||
%patch0006 -p1
|
||||
%patch0007 -p1
|
||||
%patch0008 -p1
|
||||
|
||||
%build
|
||||
autoreconf -v --install --force
|
||||
@ -80,29 +53,76 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
%{_includedir}/X11/xpm.h
|
||||
%{_libdir}/libXpm.so
|
||||
%{_libdir}/pkgconfig/xpm.pc
|
||||
#%dir %{_mandir}/man1x
|
||||
%{_mandir}/man1/*.1*
|
||||
#%{_mandir}/man1/*.1x*
|
||||
%{_mandir}/man3/*.3*
|
||||
|
||||
%changelog
|
||||
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-11
|
||||
- Drop hardening patches from previous version to keep ABI compatibility
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.5.17-5
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
* Wed Oct 11 2023 José Expósito <jexposit@redhat.com> - 3.5.12-10
|
||||
- CVE-2023-43786 libX11: stack exhaustion from infinite recursion
|
||||
in PutSubImage()
|
||||
- CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to
|
||||
a heap overflow
|
||||
- CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()
|
||||
- CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.5.17-4
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Mon Jan 16 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.12-9
|
||||
- Fix CVE-2022-46285: infinite loop on unclosed comments (#2160229)
|
||||
- Fix CVE-2022-44617: runaway loop with width of 0 (#2160231)
|
||||
- Fix CVE-2022-4883: compression depends on $PATH (#2160239)
|
||||
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.17-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Mon Dec 09 2019 Benjamin Tissoires <benjamin.tissoires@redhat.com> 3.5.12-8
|
||||
- add covscan fixes (#1602606)
|
||||
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.17-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Thu Oct 05 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.17-1
|
||||
- libXpm 3.5.17
|
||||
|
||||
* Wed Sep 06 2023 Benjamin Tissoires <benjamin.tissoires@redhat.com> - 3.5.15-5
|
||||
- SPDX migration
|
||||
|
||||
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.15-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.15-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Wed Jan 18 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.15-2
|
||||
- Add missing BuildRequires
|
||||
|
||||
* Wed Jan 18 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.15-1
|
||||
- libXpm 3.5.15, fixes CVE-2022-46285, CVE-2022-44617, CVE-2022-4883
|
||||
|
||||
* Wed Jan 11 2023 Peter Hutterer <peter.hutterer@redhat.com> - 3.5.14-1
|
||||
- libXpm 3.5.14
|
||||
|
||||
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Tue Jan 05 2021 Peter Hutterer <peter.hutterer@redhat.com> 3.5.13-4
|
||||
- Add make to BuildRequires
|
||||
|
||||
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.13-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Fri Dec 13 2019 Peter Hutterer <peter.hutterer@redhat.com> 3.5.13-1
|
||||
- libXpm 3.5.13
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.12-8
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Thu Jul 05 2018 Adam Jackson <ajax@redhat.com> - 3.5.12-7
|
||||
- Drop useless %%defattr
|
Loading…
Reference in New Issue
Block a user