Fixes for CVE-2023-43788 and CVE-2023-43789

Resolves: rhbz#2125560

.motif.metadata

@@ -0,0 +1 @@
+49ecfe2a0939232ca78ce318d938044e7f751b6d motif-2.3.4-src.tgz

0001-EditresCom-Fix-build-with-modern-systems.patch

@@ -0,0 +1,54 @@
+From 591ae206f83a359a590090524c286cb03e5c2494 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 6 Sep 2022 17:39:19 +0200
+Subject: [PATCH] EditresCom: Fix build with modern systems.
+
+The code in _XtGetStringValues() depends on the LONG_BIT define.
+
+However, modern system require -D_XOPEN_SOURCE to set LONG_BIT, so with
+the current code as it is, LONG_BIT is not defined (from limits.h) and
+the build wrongly assumes this is a 32bit build.
+
+Unfortunately, defining _XOPEN_SOURCE to have LONG_BIT set would disable
+the definition of caddr_t, a deprecated definition inherited from BSD,
+so we also need to replace that with a simple cast to (long *).
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+---
+ lib/Xm/EditresCom.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Xm/EditresCom.c b/lib/Xm/EditresCom.c
+index 4114ff8b..c93d6844 100644
+--- a/lib/Xm/EditresCom.c
++++ b/lib/Xm/EditresCom.c
+@@ -43,6 +43,9 @@ in this Software without prior written authorization from the X Consortium.
+ #include <config.h>
+ #endif
+ 
++#ifndef _XOPEN_SOURCE
++#define _XOPEN_SOURCE 700
++#endif
+ 
+ #include <X11/IntrinsicP.h>	/* To get into the composite and core widget
+ 				   structures. */
+@@ -59,6 +62,7 @@ in this Software without prior written authorization from the X Consortium.
+ #include <X11/Xmd.h>
+ 
+ #include <stdio.h>
++#include <limits.h>
+ 
+ #define _XEditResPutBool _XEditResPut8	
+ #define _XEditResPutResourceType _XEditResPut8
+@@ -1608,7 +1612,7 @@ _XtGetStringValues(Widget w, Arg *warg, int numargs)
+ 	old_handler = XtAppSetWarningMsgHandler(XtWidgetToApplicationContext(w),
+ 					     EditResCvtWarningHandler);
+ 	from.size = res->resource_size;
+-	from.addr = (caddr_t)&value;
++	from.addr = (void *)&value;
+ 	to.addr = NULL;
+ 	to.size = 0;
+ 	to_color.addr = NULL;
+-- 
+2.37.3
+

0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch

@@ -0,0 +1,32 @@
+From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 17:50:39 -0700
+Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
+ XpmCreateXpmImageFromBuffer
+
+When the test case for CVE-2022-46285 was run with the Address Sanitizer
+enabled, it found an out-of-bounds read in ParseComment() when reading
+from a memory buffer instead of a file, as it continued to look for the
+closing comment marker past the end of the buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ lib/Xm/Xpmdata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
+index 7524e65..0b0f1f3 100644
+--- a/lib/Xm/Xpmdata.c
++++ b/lib/Xm/Xpmdata.c
+@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
+ 		n++;
+ 		s2++;
+ 	    } while (c == *s2 && *s2 != '\0' && c);
+-	    if (*s2 == '\0') {
++	    if (*s2 == '\0' || c == '\0') {
+ 		/* this is the end of the comment */
+ 		notend = 0;
+ 		mdata->cptr--;
+-- 
+2.41.0
+

0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch

@@ -0,0 +1,36 @@
+From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 18:30:34 -0700
+Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
+ colormap
+
+Found with clang's libfuzzer
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ lib/Xm/Xpmdata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
+index 0b0f1f3..6e87455 100644
+--- a/lib/Xm/Xpmdata.c
++++ b/lib/Xm/Xpmdata.c
+@@ -259,13 +259,13 @@ xpmNextWord(
+     int c;
+ 
+     if (!mdata->type || mdata->type == XPMBUFFER) {
+-	while (isspace(c = *mdata->cptr) && c != mdata->Eos)
++	while ((c = *mdata->cptr) && isspace(c) && (c != mdata->Eos))
+ 	    mdata->cptr++;
+ 	do {
+ 	    c = *mdata->cptr++;
+ 	    *buf++ = c;
+ 	    n++;
+-	} while (!isspace(c) && c != mdata->Eos && n < buflen);
++	} while (c && !isspace(c) && (c != mdata->Eos) && (n < buflen));
+ 	n--;
+ 	mdata->cptr--;
+     } else {
+-- 
+2.41.0
+

motif.spec

@@ -1,7 +1,7 @@
 Summary: Run-time libraries and programs
 Name: motif
 Version: 2.3.4
-Release: 26%{?dist}
+Release: 28%{?dist}
 License: LGPLv2+
 Source: http://downloads.sf.net/motif/motif-%{version}-src.tgz
 Source1: xmbind
@@ -38,6 +38,13 @@ Patch54: motifzone_1612.patch
 
 # FTBFS #1448819
 Patch48: motif-2.3.4-Fix-issues-with-Werror-format-security.patch
+# rhbz#2125560
+Patch55: 0001-EditresCom-Fix-build-with-modern-systems.patch
+
+# CVE-2023-43788
+Patch56: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
+# CVE-2023-43789
+Patch57: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
 
 Conflicts: lesstif <= 0.92.32-6
 
@@ -83,6 +90,9 @@ This package contains the static Motif libraries.
 %patch52 -p1 -b .revert-of-motifzone_1565
 %patch53 -p1 -b .motifzone_1660
 %patch54 -p1 -b .motifzone_1612
+%patch55 -p1 -b .long_bit
+%patch56 -p1 -b .cve-2023-43788
+%patch57 -p1 -b .cve-2023-43789
 
 %build
 ./autogen.sh
@@ -132,6 +142,13 @@ rm -f %{buildroot}%{_libdir}/*.la
 %{_libdir}/lib*.a
 
 %changelog
+* Mon Nov 27 2023 José Expósito <jexposit@redhat.com> - 2.3.4-28
+- Fix CVE-2023-43788: out of bounds read in XpmCreateXpmImageFromBuffer()
+- Fix CVE-2023-43789: out of bounds read on XPM with corrupted colormap
+
+* Mon Sep 26 2022 Olivier Fourdan <ofourdan@redhat.com> - 2.3.4-27
+- Fix LONG_BIT definition missing (rhbz#2125560)
+
 * Thu May 12 2022 Mika Penttila <mpenttil@redhat.com> - 2.3.4-26
 - Added patches from rhel-7