.gitignore

@@ -1 +1 @@
-SOURCES/motif-2.3.4-src.tgz
+/motif-2.3.4-src.tgz

.motif.metadata

@@ -1 +1 @@
-49ecfe2a0939232ca78ce318d938044e7f751b6d SOURCES/motif-2.3.4-src.tgz
+49ecfe2a0939232ca78ce318d938044e7f751b6d motif-2.3.4-src.tgz

0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch

@@ -0,0 +1,32 @@
+From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 17:50:39 -0700
+Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
+ XpmCreateXpmImageFromBuffer
+
+When the test case for CVE-2022-46285 was run with the Address Sanitizer
+enabled, it found an out-of-bounds read in ParseComment() when reading
+from a memory buffer instead of a file, as it continued to look for the
+closing comment marker past the end of the buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ lib/Xm/Xpmdata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
+index 7524e65..0b0f1f3 100644
+--- a/lib/Xm/Xpmdata.c
++++ b/lib/Xm/Xpmdata.c
+@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
+ 		n++;
+ 		s2++;
+ 	    } while (c == *s2 && *s2 != '\0' && c);
+-	    if (*s2 == '\0') {
++	    if (*s2 == '\0' || c == '\0') {
+ 		/* this is the end of the comment */
+ 		notend = 0;
+ 		mdata->cptr--;
+-- 
+2.41.0
+

0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch

@@ -0,0 +1,36 @@
+From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 18:30:34 -0700
+Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
+ colormap
+
+Found with clang's libfuzzer
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ lib/Xm/Xpmdata.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/Xm/Xpmdata.c b/lib/Xm/Xpmdata.c
+index 0b0f1f3..6e87455 100644
+--- a/lib/Xm/Xpmdata.c
++++ b/lib/Xm/Xpmdata.c
+@@ -259,13 +259,13 @@ xpmNextWord(
+     int c;
+ 
+     if (!mdata->type || mdata->type == XPMBUFFER) {
+-	while (isspace(c = *mdata->cptr) && c != mdata->Eos)
++	while ((c = *mdata->cptr) && isspace(c) && (c != mdata->Eos))
+ 	    mdata->cptr++;
+ 	do {
+ 	    c = *mdata->cptr++;
+ 	    *buf++ = c;
+ 	    n++;
+-	} while (!isspace(c) && c != mdata->Eos && n < buflen);
++	} while (c && !isspace(c) && (c != mdata->Eos) && (n < buflen));
+ 	n--;
+ 	mdata->cptr--;
+     } else {
+-- 
+2.41.0
+

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}

motif.spec

@@ -1,9 +1,8 @@
 Summary: Run-time libraries and programs
 Name: motif
 Version: 2.3.4
-Release: 19%{?dist}
+Release: 28%{?dist}
 License: LGPLv2+
-Group: System Environment/Libraries
 Source: http://downloads.sf.net/motif/motif-%{version}-src.tgz
 Source1: xmbind
 URL: http://www.motifzone.net/
@@ -12,6 +11,7 @@ Provides: openmotif = %{version}-%{release}
 Requires: xorg-x11-xbitmaps
 Requires: xorg-x11-xinit
 
+BuildRequires: make
 BuildRequires: automake, libtool, autoconf, flex
 # flex static libs have been part of flex for RHEL <= 6 and Fedora <= 12
 %if 0%{?fedora} > 12 || 0%{?rhel} > 6
@@ -29,9 +29,6 @@ Patch43: openMotif-2.3.0-rgbtxt.patch
 Patch45: motif-2.3.4-mwmrc_dir.patch
 Patch46: motif-2.3.4-bindings.patch
 Patch47: openMotif-2.3.0-no_X11R6.patch
-# FTBFS #1448819
-Patch48: motif-2.3.4-Fix-issues-with-Werror-format-security.patch
-
 Patch49: openmotif-2.3.1-rhbz_997241.patch
 Patch50: motif-2.3.5-motifzone_1654.patch
 Patch51: motif-2.3.4-motifzone_1564-88bdce1.patch
@@ -39,8 +36,16 @@ Patch52: revert-of-motifzone_1565.patch
 Patch53: motifzone_1660.patch
 Patch54: motifzone_1612.patch
 
+# FTBFS #1448819
+Patch48: motif-2.3.4-Fix-issues-with-Werror-format-security.patch
+# rhbz#2125560
 Patch55: 0001-EditresCom-Fix-build-with-modern-systems.patch
 
+# CVE-2023-43788
+Patch56: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch
+# CVE-2023-43789
+Patch57: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch
+
 Conflicts: lesstif <= 0.92.32-6
 
 %description
@@ -50,7 +55,6 @@ linked against Motif and the Motif Window Manager mwm.
 
 %package devel
 Summary: Development libraries and header files
-Group: Development/Libraries
 Conflicts: lesstif-devel <= 0.92.32-6
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: libjpeg-devel%{?_isa} libpng-devel%{?_isa}
@@ -65,7 +69,6 @@ header files and also static libraries necessary to build Motif applications.
 
 %package static
 Summary: Static libraries
-Group: Development/Libraries
 Conflicts: lesstif-devel <= 0.92.32-6
 Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 
@@ -81,7 +84,6 @@ This package contains the static Motif libraries.
 %patch46 -p1 -b .bindings
 %patch47 -p1 -b .no_X11R6
 %patch48 -p1 -b .format-security
-
 %patch49 -p1 -b .rhbz_997241
 %patch50 -p1 -b .motifzone_1654
 %patch51 -p1 -b .motifzone_1564-88bdce1
@@ -89,14 +91,12 @@ This package contains the static Motif libraries.
 %patch53 -p1 -b .motifzone_1660
 %patch54 -p1 -b .motifzone_1612
 %patch55 -p1 -b .long_bit
+%patch56 -p1 -b .cve-2023-43788
+%patch57 -p1 -b .cve-2023-43789
 
 %build
-CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64" \
-./autogen.sh --libdir=%{_libdir} --enable-static --enable-xft --enable-jpeg \
-   --enable-png
-
-%configure --libdir=%{_libdir} --enable-static --enable-xft --enable-jpeg \
-   --enable-png
+./autogen.sh
+%configure --enable-static --enable-xft --enable-jpeg --enable-png
 
 make clean %{?_smp_mflags}
 make -C include
@@ -110,11 +110,7 @@ install -m 755 %{SOURCE1} %{buildroot}/etc/X11/xinit/xinitrc.d/xmbind.sh
 
 rm -f %{buildroot}%{_libdir}/*.la
 
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
-
-%clean
-rm -rf %{buildroot}
+%ldconfig_scriptlets
 
 %files
 %doc COPYING README RELEASE RELNOTES
@@ -146,18 +142,47 @@ rm -rf %{buildroot}
 %{_libdir}/lib*.a
 
 %changelog
-* Mon Sep 26 2022 Olivier Fourdan <ofourdan@redhat.com> - 2.3.4-19
-- Fix LONG_BIT definition missing (rhbz#2124810)
+* Mon Nov 27 2023 José Expósito <jexposit@redhat.com> - 2.3.4-28
+- Fix CVE-2023-43788: out of bounds read in XpmCreateXpmImageFromBuffer()
+- Fix CVE-2023-43789: out of bounds read on XPM with corrupted colormap
 
-* Wed Sep 07 2022 Mika Penttila <mpenttil@redhat.com> - 2.3.4-18
-- Version bump
+* Mon Sep 26 2022 Olivier Fourdan <ofourdan@redhat.com> - 2.3.4-27
+- Fix LONG_BIT definition missing (rhbz#2125560)
 
-* Fri Apr 08 2022 Mika Penttila <mpenttil@redhat.com> - 2.3.4-17
-- Added forgotten patches and corrected release number
+* Thu May 12 2022 Mika Penttila <mpenttil@redhat.com> - 2.3.4-26
+- Added patches from rhel-7
 
-* Tue Sep 11 2018 Carlos Soriano <csoriano@redhat.com> - 2.3.4-16
-- Fix hardened flags, make sure to always pass LDFLAGS on the spec
-- Resolves: RHBZ#1624143
+* Thu Feb 03 2022 Adam Jackson <ajax@redhat.com> - 2.3.4-25
+- Fix invoking autogen/configure so the default CFLAGS actually get applied
+  Resolves: rhbz#2044881
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.4-24
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.4-23
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-20
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-19
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-15
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

sources

@@ -0,0 +1 @@
+612bb8127d0d31da6e5474edf8a5c247  motif-2.3.4-src.tgz