Import from AlmaLinux stable repository
This commit is contained in:
parent
2c41b96c33
commit
eea79d70a2
@ -0,0 +1,32 @@
|
||||
From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 29 Apr 2023 17:50:39 -0700
|
||||
Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
|
||||
XpmCreateXpmImageFromBuffer
|
||||
|
||||
When the test case for CVE-2022-46285 was run with the Address Sanitizer
|
||||
enabled, it found an out-of-bounds read in ParseComment() when reading
|
||||
from a memory buffer instead of a file, as it continued to look for the
|
||||
closing comment marker past the end of the buffer.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
lib/Xm/Xpmdata.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
|
||||
index 7524e65..0b0f1f3 100644
|
||||
--- a/lib/Xm/Xpmdata.c
|
||||
+++ b/lib/Xm/Xpmdata.c
|
||||
@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
|
||||
n++;
|
||||
s2++;
|
||||
} while (c == *s2 && *s2 != '\0' && c);
|
||||
- if (*s2 == '\0') {
|
||||
+ if (*s2 == '\0' || c == '\0') {
|
||||
/* this is the end of the comment */
|
||||
notend = 0;
|
||||
mdata->cptr--;
|
||||
--
|
||||
2.41.0
|
||||
|
@ -0,0 +1,36 @@
|
||||
From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Sat, 29 Apr 2023 18:30:34 -0700
|
||||
Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
|
||||
colormap
|
||||
|
||||
Found with clang's libfuzzer
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
---
|
||||
lib/Xm/Xpmdata.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
|
||||
index 0b0f1f3..6e87455 100644
|
||||
--- a/lib/Xm/Xpmdata.c
|
||||
+++ b/lib/Xm/Xpmdata.c
|
||||
@@ -259,13 +259,13 @@ xpmNextWord(
|
||||
int c;
|
||||
|
||||
if (!mdata->type || mdata->type == XPMBUFFER) {
|
||||
- while (isspace(c = *mdata->cptr) && c != mdata->Eos)
|
||||
+ while ((c = *mdata->cptr) && isspace(c) && (c != mdata->Eos))
|
||||
mdata->cptr++;
|
||||
do {
|
||||
c = *mdata->cptr++;
|
||||
*buf++ = c;
|
||||
n++;
|
||||
- } while (!isspace(c) && c != mdata->Eos && n < buflen);
|
||||
+ } while (c && !isspace(c) && (c != mdata->Eos) && (n < buflen));
|
||||
n--;
|
||||
mdata->cptr--;
|
||||
} else {
|
||||
--
|
||||
2.41.0
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: Run-time libraries and programs
|
||||
Name: motif
|
||||
Version: 2.3.4
|
||||
Release: 27%{?dist}
|
||||
Release: 28%{?dist}
|
||||
License: LGPLv2+
|
||||
Source: http://downloads.sf.net/motif/motif-%{version}-src.tgz
|
||||
Source1: xmbind
|
||||
@ -41,6 +41,11 @@ Patch48: motif-2.3.4-Fix-issues-with-Werror-format-security.patch
|
||||
# rhbz#2125560
|
||||
Patch55: 0001-EditresCom-Fix-build-with-modern-systems.patch
|
||||
|
||||
# CVE-2023-43788
|
||||
Patch56: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
|
||||
# CVE-2023-43789
|
||||
Patch57: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
|
||||
|
||||
Conflicts: lesstif <= 0.92.32-6
|
||||
|
||||
%description
|
||||
@ -86,6 +91,8 @@ This package contains the static Motif libraries.
|
||||
%patch53 -p1 -b .motifzone_1660
|
||||
%patch54 -p1 -b .motifzone_1612
|
||||
%patch55 -p1 -b .long_bit
|
||||
%patch56 -p1 -b .cve-2023-43788
|
||||
%patch57 -p1 -b .cve-2023-43789
|
||||
|
||||
%build
|
||||
./autogen.sh
|
||||
@ -135,6 +142,10 @@ rm -f %{buildroot}%{_libdir}/*.la
|
||||
%{_libdir}/lib*.a
|
||||
|
||||
%changelog
|
||||
* Mon Nov 27 2023 José Expósito <jexposit@redhat.com> - 2.3.4-28
|
||||
- Fix CVE-2023-43788: out of bounds read in XpmCreateXpmImageFromBuffer()
|
||||
- Fix CVE-2023-43789: out of bounds read on XPM with corrupted colormap
|
||||
|
||||
* Mon Sep 26 2022 Olivier Fourdan <ofourdan@redhat.com> - 2.3.4-27
|
||||
- Fix LONG_BIT definition missing (rhbz#2125560)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user