diff --git a/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch b/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch new file mode 100644 index 0000000..5ee660d --- /dev/null +++ b/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch @@ -0,0 +1,32 @@ +From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 17:50:39 -0700 +Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in + XpmCreateXpmImageFromBuffer + +When the test case for CVE-2022-46285 was run with the Address Sanitizer +enabled, it found an out-of-bounds read in ParseComment() when reading +from a memory buffer instead of a file, as it continued to look for the +closing comment marker past the end of the buffer. + +Signed-off-by: Alan Coopersmith +--- + lib/Xm/Xpmdata.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c +index 7524e65..0b0f1f3 100644 +--- a/lib/Xm/Xpmdata.c ++++ b/lib/Xm/Xpmdata.c +@@ -108,7 +108,7 @@ ParseComment(xpmData *data) + n++; + s2++; + } while (c == *s2 && *s2 != '\0' && c); +- if (*s2 == '\0') { ++ if (*s2 == '\0' || c == '\0') { + /* this is the end of the comment */ + notend = 0; + mdata->cptr--; +-- +2.41.0 + diff --git a/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch b/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch new file mode 100644 index 0000000..292988b --- /dev/null +++ b/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch @@ -0,0 +1,36 @@ +From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:30:34 -0700 +Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted + colormap + +Found with clang's libfuzzer + +Signed-off-by: Alan Coopersmith +--- + lib/Xm/Xpmdata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c +index 0b0f1f3..6e87455 100644 +--- a/lib/Xm/Xpmdata.c ++++ b/lib/Xm/Xpmdata.c +@@ -259,13 +259,13 @@ xpmNextWord( + int c; + + if (!mdata->type || mdata->type == XPMBUFFER) { +- while (isspace(c = *mdata->cptr) && c != mdata->Eos) ++ while ((c = *mdata->cptr) && isspace(c) && (c != mdata->Eos)) + mdata->cptr++; + do { + c = *mdata->cptr++; + *buf++ = c; + n++; +- } while (!isspace(c) && c != mdata->Eos && n < buflen); ++ } while (c && !isspace(c) && (c != mdata->Eos) && (n < buflen)); + n--; + mdata->cptr--; + } else { +-- +2.41.0 + diff --git a/motif.spec b/motif.spec index 1f61233..0e87b33 100644 --- a/motif.spec +++ b/motif.spec @@ -1,7 +1,7 @@ Summary: Run-time libraries and programs Name: motif Version: 2.3.4 -Release: 19%{?dist} +Release: 20%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://downloads.sf.net/motif/motif-%{version}-src.tgz @@ -40,6 +40,10 @@ Patch53: motifzone_1660.patch Patch54: motifzone_1612.patch Patch55: 0001-EditresCom-Fix-build-with-modern-systems.patch +# CVE-2023-43788 +Patch56: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +# CVE-2023-43789 +Patch57: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch Conflicts: lesstif <= 0.92.32-6 @@ -89,6 +93,8 @@ This package contains the static Motif libraries. %patch53 -p1 -b .motifzone_1660 %patch54 -p1 -b .motifzone_1612 %patch55 -p1 -b .long_bit +%patch56 -p1 -b .cve-2023-43788 +%patch57 -p1 -b .cve-2023-43789 %build CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64" \ @@ -146,6 +152,10 @@ rm -rf %{buildroot} %{_libdir}/lib*.a %changelog +* Mon Nov 27 2023 José Expósito - 2.3.4-20 +- Fix CVE-2023-43788: out of bounds read in XpmCreateXpmImageFromBuffer() +- Fix CVE-2023-43789: out of bounds read on XPM with corrupted colormap + * Mon Sep 26 2022 Olivier Fourdan - 2.3.4-19 - Fix LONG_BIT definition missing (rhbz#2124810)