commit 5027c3eb2ea225d9ecd6a6a0f6d18b268b35aa02 Author: MSVSphere Packaging Team Date: Thu Mar 28 17:36:20 2024 +0300 import libXpm-3.5.13-10.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0bb3b25 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/libXpm-3.5.13.tar.bz2 diff --git a/.libXpm.metadata b/.libXpm.metadata new file mode 100644 index 0000000..5fbf775 --- /dev/null +++ b/.libXpm.metadata @@ -0,0 +1 @@ +38b1a2728adb49f4e255aba1530f51789815ffc4 SOURCES/libXpm-3.5.13.tar.bz2 diff --git a/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch b/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch new file mode 100644 index 0000000..30cf7f7 --- /dev/null +++ b/SOURCES/0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch @@ -0,0 +1,37 @@ +From c6cd85b7d0a725552a7277748504a33f0fc3e121 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH libXpm 1/6] Fix CVE-2022-46285: Infinite loop on unclosed + comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.39.0 + diff --git a/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch b/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch new file mode 100644 index 0000000..a2d039b --- /dev/null +++ b/SOURCES/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch @@ -0,0 +1,32 @@ +From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 17:50:39 -0700 +Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in + XpmCreateXpmImageFromBuffer + +When the test case for CVE-2022-46285 was run with the Address Sanitizer +enabled, it found an out-of-bounds read in ParseComment() when reading +from a memory buffer instead of a file, as it continued to look for the +closing comment marker past the end of the buffer. + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data.c b/src/data.c +index 7524e65..0b0f1f3 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -108,7 +108,7 @@ ParseComment(xpmData *data) + n++; + s2++; + } while (c == *s2 && *s2 != '\0' && c); +- if (*s2 == '\0') { ++ if (*s2 == '\0' || c == '\0') { + /* this is the end of the comment */ + notend = 0; + data->cptr--; +-- +2.41.0 + diff --git a/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch b/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch new file mode 100644 index 0000000..789c423 --- /dev/null +++ b/SOURCES/0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch @@ -0,0 +1,36 @@ +From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:30:34 -0700 +Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted + colormap + +Found with clang's libfuzzer + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/data.c b/src/data.c +index 0b0f1f3..6e87455 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -259,13 +259,13 @@ xpmNextWord( + int c; + + if (!data->type || data->type == XPMBUFFER) { +- while (isspace(c = *data->cptr) && c != data->Eos) ++ while ((c = *data->cptr) && isspace(c) && (c != data->Eos)) + data->cptr++; + do { + c = *data->cptr++; + *buf++ = c; + n++; +- } while (!isspace(c) && c != data->Eos && n < buflen); ++ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen)); + n--; + data->cptr--; + } else { +-- +2.41.0 + diff --git a/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch b/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch new file mode 100644 index 0000000..b46b42a --- /dev/null +++ b/SOURCES/0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch @@ -0,0 +1,151 @@ +From 0a1959b3b061d2e6d0a512e83035d84e5828f388 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 7 Jan 2023 12:44:28 -0800 +Subject: [PATCH libXpm 2/6] Fix CVE-2022-44617: Runaway loop with width of 0 + and enormous height + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +image has a width of 0 and a very large height, the ParsePixels() function +will loop over the entire height calling getc() and ungetc() repeatedly, +or in some circumstances, may loop seemingly forever, which may cause a +denial of service to the calling program when given a small crafted XPM +file to parse. + +Closes: #2 + +Reported-by: Martin Ettl +Signed-off-by: Alan Coopersmith +--- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/src/data.c b/src/data.c +index bfad4ff..7524e65 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -195,19 +195,23 @@ xpmNextString(xpmData *data) + register char c; + + /* get to the end of the current string */ +- if (data->Eos) +- while ((c = *data->cptr++) && c != data->Eos); ++ if (data->Eos) { ++ while ((c = *data->cptr++) && c != data->Eos && c != '\0'); ++ ++ if (c == '\0') ++ return XpmFileInvalid; ++ } + + /* + * then get to the beginning of the next string looking for possible + * comment + */ + if (data->Bos) { +- while ((c = *data->cptr++) && c != data->Bos) ++ while ((c = *data->cptr++) && c != data->Bos && c != '\0') + if (data->Bcmt && c == data->Bcmt[0]) + ParseComment(data); + } else if (data->Bcmt) { /* XPM2 natural */ +- while ((c = *data->cptr++) == data->Bcmt[0]) ++ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') + ParseComment(data); + data->cptr--; + } +@@ -216,9 +220,13 @@ xpmNextString(xpmData *data) + FILE *file = data->stream.file; + + /* get to the end of the current string */ +- if (data->Eos) ++ if (data->Eos) { + while ((c = Getc(data, file)) != data->Eos && c != EOF); + ++ if (c == EOF) ++ return XpmFileInvalid; ++ } ++ + /* + * then get to the beginning of the next string looking for possible + * comment +@@ -234,7 +242,7 @@ xpmNextString(xpmData *data) + Ungetc(data, c, file); + } + } +- return 0; ++ return XpmSuccess; + } + + +diff --git a/src/parse.c b/src/parse.c +index 613529e..606789d 100644 +--- a/src/parse.c ++++ b/src/parse.c +@@ -427,6 +427,13 @@ ParsePixels( + { + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ + unsigned int a, x, y; ++ int ErrorStatus; ++ ++ if ((width == 0) && (height != 0)) ++ return (XpmFileInvalid); ++ ++ if ((height == 0) && (width != 0)) ++ return (XpmFileInvalid); + + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) +@@ -464,7 +471,11 @@ ParsePixels( + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int c = xpmGetC(data); + +@@ -511,7 +522,11 @@ do \ + } + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int cc1 = xpmGetC(data); + if (cc1 > 0 && cc1 < 256) { +@@ -551,7 +566,11 @@ do \ + xpmHashAtom *slot; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +@@ -571,7 +590,11 @@ do \ + } + } else { + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +-- +2.39.0 + diff --git a/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch b/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch new file mode 100644 index 0000000..92c25d6 --- /dev/null +++ b/SOURCES/0003-Prevent-a-double-free-in-the-error-code-path.patch @@ -0,0 +1,39 @@ +From ad5a88046266478c2c9600f6d8a11ab707cb4c7e Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Jan 2023 15:05:39 +1000 +Subject: [PATCH libXpm 3/6] Prevent a double free in the error code path + +xpmParseDataAndCreate() calls XDestroyImage() in the error path. +Reproducible with sxpm "zero-width.xpm", that file is in the test/ +directory. + +The same approach is needed in the bytes_per_line == 0 condition though +here it just plugs a memory leak. +--- + src/create.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/create.c b/src/create.c +index a750846..0f3735c 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -994,11 +994,15 @@ CreateXImage( + #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; + } + /* now that bytes_per_line must have been set properly alloc data */ +- if((*image_return)->bytes_per_line == 0 || height == 0) ++ if((*image_return)->bytes_per_line == 0 || height == 0) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; ++ } + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); + +-- +2.39.0 + diff --git a/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch b/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch new file mode 100644 index 0000000..06f91b4 --- /dev/null +++ b/SOURCES/0004-configure-add-disable-open-zfile-instead-of-requirin.patch @@ -0,0 +1,95 @@ +From 6fd1ea0d559a433aecccb21b63e91776e05a0831 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 5 Jan 2023 15:42:36 -0800 +Subject: [PATCH libXpm 4/6] configure: add --disable-open-zfile instead of + requiring -DNO_ZPIPE + +Documents the two compression options in the README, makes their +configure options reflect the interdependency of their implementation, +and makes the configure script report their configuration. + +Signed-off-by: Alan Coopersmith +--- + README.md | 15 +++++++++++++++ + configure.ac | 36 +++++++++++++++++++++++------------- + 2 files changed, 38 insertions(+), 13 deletions(-) + +diff --git a/README.md b/README.md +index f661e15..f3f4c93 100644 +--- a/README.md ++++ b/README.md +@@ -16,3 +16,18 @@ For patch submission instructions, see: + + https://www.x.org/wiki/Development/Documentation/SubmittingPatches + ++------------------------------------------------------------------------------ ++ ++libXpm supports two optional features to handle compressed pixmap files. ++ ++--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz ++and open a pipe to the appropriate command to compress the file when writing ++and uncompress the file when reading. This is enabled by default on platforms ++other than MinGW and can be disabled by passing the --disable-open-zfile flag ++to the configure script. ++ ++--enable-stat-zfile make libXpm search for a file name with .Z or .gz added ++if it can't find the file it was asked to open. It relies on the ++--enable-open-zfile feature to open the file, and is enabled by default ++when --enable-open-zfile is enabled, and can be disabled by passing the ++--disable-stat-zfile flag to the configure script. +diff --git a/configure.ac b/configure.ac +index 365544b..85e2c73 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++# Optional feature: When a filename ending in .Z or .gz is requested, ++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# handle it. ++AC_MSG_CHECKING([whether to handle compressed pixmaps]) ++case $host_os in ++ *mingw*) zpipe_default="no" ;; ++ *) zpipe_default="yes" ;; ++esac ++AC_ARG_ENABLE(open-zfile, ++ AS_HELP_STRING([--enable-open-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes]) ++AC_MSG_RESULT([$OPEN_ZFILE]) ++if test x$OPEN_ZFILE = xno ; then ++ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++fi ++ + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz + # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile ++AC_MSG_CHECKING([whether to search for compressed pixmaps]) + AC_ARG_ENABLE(stat-zfile, +- AS_HELP_STRING([--enable-stat-zfile], +- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]), +- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes]) ++ AS_HELP_STRING([--enable-stat-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE]) ++AC_MSG_RESULT([$STAT_ZFILE]) + if test x$STAT_ZFILE = xyes ; then +- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) ++ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) + fi + +- +-case $host_os in +- *mingw*) +- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +- ;; +- *) +- ;; +-esac +- + AC_CONFIG_FILES([Makefile + doc/Makefile + include/Makefile +-- +2.39.0 + diff --git a/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch b/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch new file mode 100644 index 0000000..7ba81de --- /dev/null +++ b/SOURCES/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch @@ -0,0 +1,144 @@ +From cdbc3fa8edc5b42391a5f2bfe1a8f6099929acf7 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: [PATCH libXpm 5/6] Fix CVE-2022-4883: compression commands depend on + $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +--- + README.md | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +diff --git a/README.md b/README.md +index f3f4c93..0b1c886 100644 +--- a/README.md ++++ b/README.md +@@ -31,3 +31,15 @@ if it can't find the file it was asked to open. It relies on the + --enable-open-zfile feature to open the file, and is enabled by default + when --enable-open-zfile is enabled, and can be disabled by passing the + --disable-stat-zfile flag to the configure script. ++ ++All of these commands will be executed with whatever userid & privileges the ++function is called with, relying on the caller to ensure the correct euid, ++egid, etc. are set before calling. ++ ++To reduce risk, the paths to these commands are now set at configure time to ++the first version found in the PATH used to run configure, and do not depend ++on the PATH environment variable set at runtime. ++ ++To specify paths to be used for these commands instead of searching $PATH, pass ++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP ++variables to the configure command. +diff --git a/configure.ac b/configure.ac +index 85e2c73..4fc370d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++dnl Helper macro to find absolute path to program and add a #define for it ++AC_DEFUN([XPM_PATH_PROG],[ ++AC_PATH_PROG([$1], [$2], []) ++AS_IF([test "x$$1" = "x"], ++ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])]) ++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) ++]) dnl End of AC_DEFUN([XPM_PATH_PROG]... ++ + # Optional feature: When a filename ending in .Z or .gz is requested, + # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to + # handle it. +@@ -64,6 +72,12 @@ AC_ARG_ENABLE(open-zfile, + AC_MSG_RESULT([$OPEN_ZFILE]) + if test x$OPEN_ZFILE = xno ; then + AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++else ++ XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) ++ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) ++ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) ++ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) ++ AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz +diff --git a/src/RdFToI.c b/src/RdFToI.c +index bd09611..a91d337 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); + } + else + #endif /* z-files */ +diff --git a/src/WrFFrI.c b/src/WrFFrI.c +index 328c987..d59098f 100644 +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -342,10 +342,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif +-- +2.39.0 + diff --git a/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch b/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch new file mode 100644 index 0000000..ec399bc --- /dev/null +++ b/SOURCES/0006-Use-gzip-d-instead-of-gunzip.patch @@ -0,0 +1,68 @@ +From 999005133c928c841e98600c00e12d4c05846c91 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 16 Jan 2023 19:44:52 +1000 +Subject: [PATCH libXpm 6/6] Use gzip -d instead of gunzip + +GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call +/usr/bin/gunzip with the correct built-in path, the actual gzip call +will use whichever gzip it finds first, making our patch pointless. + +Fix this by explicitly calling gzip -d instead. + +[1] https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in + +Signed-off-by: Peter Hutterer +--- + README.md | 2 +- + configure.ac | 3 +-- + src/RdFToI.c | 2 +- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/README.md b/README.md +index 0b1c886..d906954 100644 +--- a/README.md ++++ b/README.md +@@ -41,5 +41,5 @@ the first version found in the PATH used to run configure, and do not depend + on the PATH environment variable set at runtime. + + To specify paths to be used for these commands instead of searching $PATH, pass +-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP ++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP + variables to the configure command. +diff --git a/configure.ac b/configure.ac +index 4fc370d..5535998 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) + ]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + + # Optional feature: When a filename ending in .Z or .gz is requested, +-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# open a pipe to a newly forked compress/uncompress/gzip command to + # handle it. + AC_MSG_CHECKING([whether to handle compressed pixmaps]) + case $host_os in +@@ -76,7 +76,6 @@ else + XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) +- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + +diff --git a/src/RdFToI.c b/src/RdFToI.c +index a91d337..141c485 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -251,7 +251,7 @@ OpenReadFile( + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); + } + else + #endif /* z-files */ +-- +2.39.0 + diff --git a/SPECS/libXpm.spec b/SPECS/libXpm.spec new file mode 100644 index 0000000..ac46961 --- /dev/null +++ b/SPECS/libXpm.spec @@ -0,0 +1,181 @@ +Summary: X.Org X11 libXpm runtime library +Name: libXpm +Version: 3.5.13 +Release: 10%{?dist} +License: MIT +URL: http://www.x.org + +Source0: https://www.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2 + +BuildRequires: xorg-x11-util-macros +BuildRequires: autoconf automake libtool make +BuildRequires: gettext +BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau) +BuildRequires: ncompress gzip + +# CVE-2022-46285 +Patch0001: 0001-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch +# CVE-2022-44617 +Patch0002: 0002-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +Patch0003: 0003-Prevent-a-double-free-in-the-error-code-path.patch +# CVE-2022-4883 +Patch0004: 0004-configure-add-disable-open-zfile-instead-of-requirin.patch +Patch0005: 0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +Patch0006: 0006-Use-gzip-d-instead-of-gunzip.patch +# CVE-2023-43788 +Patch0007: 0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +# CVE-2023-43789 +Patch0008: 0001-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch + +%description +X.Org X11 libXpm runtime library + +%package devel +Summary: X.Org X11 libXpm development package +Requires: %{name} = %{version}-%{release} + +%description devel +X.Org X11 libXpm development package + +%prep +%setup -q + +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 +%patch0006 -p1 +%patch0007 -p1 +%patch0008 -p1 + +%build +autoreconf -v --install --force +%configure --disable-static +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT + +make install DESTDIR=$RPM_BUILD_ROOT + +# We intentionally don't ship *.la files +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + +%ldconfig_post +%ldconfig_postun + +%files +%doc AUTHORS COPYING ChangeLog +%{_libdir}/libXpm.so.4 +%{_libdir}/libXpm.so.4.11.0 + +%files devel +%{_bindir}/cxpm +%{_bindir}/sxpm +%{_includedir}/X11/xpm.h +%{_libdir}/libXpm.so +%{_libdir}/pkgconfig/xpm.pc +#%dir %{_mandir}/man1x +%{_mandir}/man1/*.1* +#%{_mandir}/man1/*.1x* + +%changelog +* Wed Oct 11 2023 José Expósito - 3.5.13-10 +- Drop hardening patches from previous version to keep ABI compatibility + +* Wed Oct 11 2023 José Expósito - 3.5.13-9 +- CVE-2023-43786 libX11: stack exhaustion from infinite recursion + in PutSubImage() +- CVE-2023-43787 libX11: integer overflow in XCreateImage() leading to + a heap overflow +- CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer() +- CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap + +* Mon Jan 16 2023 Peter Hutterer - 3.5.13-8 +- Fix CVE-2022-46285: infinite loop on unclosed comments (#2160230) +- Fix CVE-2022-44617: runaway loop with width of 0 (#2160232) +- Fix CVE-2022-4883: compression depends on $PATH (#2160242) + +* Mon Aug 09 2021 Mohan Boddu - 3.5.13-7 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Fri Apr 16 2021 Mohan Boddu - 3.5.13-6 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 3.5.13-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jan 05 2021 Peter Hutterer 3.5.13-4 +- Add make to BuildRequires + +* Tue Jul 28 2020 Fedora Release Engineering - 3.5.13-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jan 29 2020 Fedora Release Engineering - 3.5.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Peter Hutterer 3.5.13-1 +- libXpm 3.5.13 + +* Thu Jul 25 2019 Fedora Release Engineering - 3.5.12-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 3.5.12-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 3.5.12-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jul 05 2018 Adam Jackson - 3.5.12-7 +- Drop useless %%defattr + +* Fri Jun 29 2018 Adam Jackson - 3.5.12-6 +- Use ldconfig scriptlet macros + +* Wed Feb 07 2018 Fedora Release Engineering - 3.5.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 3.5.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.5.12-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 3.5.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 05 2017 Benjamin Tissoires 3.5.12-1 +- libXpm 3.5.12 + +* Thu Feb 04 2016 Fedora Release Engineering - 3.5.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 3.5.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 3.5.11-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 3.5.11-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Feb 12 2014 Adam Jackson 3.5.11-1 +- libXpm 3.5.11 +- Drop pre-F18 changelog + +* Sat Aug 03 2013 Fedora Release Engineering - 3.5.10-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Mar 07 2013 Peter Hutterer - 3.5.10-4 +- autoreconf for aarch64 + +* Thu Feb 14 2013 Fedora Release Engineering - 3.5.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 3.5.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Mar 08 2012 Adam Jackson 3.5.10-1 +- libXpm 3.5.10