--- libxpm-3.5.12.orig/.pc/.quilt_patches +++ libxpm-3.5.12/.pc/.quilt_patches @@ -0,0 +1 @@ +debian/patches --- libxpm-3.5.12.orig/.pc/.quilt_series +++ libxpm-3.5.12/.pc/.quilt_series @@ -0,0 +1 @@ +series --- libxpm-3.5.12.orig/.pc/.version +++ libxpm-3.5.12/.pc/.version @@ -0,0 +1 @@ +2 --- libxpm-3.5.12.orig/autogen.sh +++ libxpm-3.5.12/autogen.sh @@ -0,0 +1,14 @@ +#! /bin/sh + +srcdir=`dirname $0` +test -z "$srcdir" && srcdir=. + +ORIGDIR=`pwd` +cd $srcdir + +autoreconf -v --install || exit 1 +cd $ORIGDIR || exit $? + +if test -z "$NOCONFIGURE"; then + $srcdir/configure "$@" +fi --- libxpm-3.5.12.orig/debian/README.source +++ libxpm-3.5.12/debian/README.source @@ -0,0 +1,49 @@ +------------------------------------------------------ +Quick Guide To Patching This Package For The Impatient +------------------------------------------------------ + +1. Make sure you have quilt installed +2. Unpack the package as usual with "dpkg-source -x" +3. Run the "patch" target in debian/rules +4. Create a new patch with "quilt new" (see quilt(1)) +5. Edit all the files you want to include in the patch with "quilt edit" + (see quilt(1)). +6. Write the patch with "quilt refresh" (see quilt(1)) +7. Run the "clean" target in debian/rules + +Alternatively, instead of using quilt directly, you can drop the patch in to +debian/patches and add the name of the patch to debian/patches/series. + +------------------------------------ +Guide To The X Strike Force Packages +------------------------------------ + +The X Strike Force team maintains X packages in git repositories on +git.debian.org in the pkg-xorg subdirectory. Most upstream packages +are actually maintained in git repositories as well, so they often +just need to be pulled into git.debian.org in a "upstream-*" branch. +Otherwise, the upstream sources are manually installed in the Debian +git repository. + +The .orig.tar.gz upstream source file could be generated using this +"upstream-*" branch in the Debian git repository but it is actually +copied from upstream tarballs directly. + +Due to X.org being highly modular, packaging all X.org applications +as their own independent packages would have created too many Debian +packages. For this reason, some X.org applications have been grouped +into larger packages: xutils, xutils-dev, x11-apps, x11-session-utils, +x11-utils, x11-xfs-utils, x11-xkb-utils, x11-xserver-utils. +Most packages, including the X.org server itself and all libraries +and drivers are, however maintained independently. + +The Debian packaging is added by creating the "debian-*" git branch +which contains the aforementioned "upstream-*" branch plus the debian/ +repository files. +When a patch has to be applied to the Debian package, two solutions +are involved: +* If the patch is available in one of the upstream branches, it + may be git'cherry-picked into the Debian repository. In this + case, it appears directly in the .diff.gz. +* Otherwise, the patch is added to debian/patches/ which is managed + with quilt as documented in /usr/share/doc/quilt/README.source. --- libxpm-3.5.12.orig/debian/changelog +++ libxpm-3.5.12/debian/changelog @@ -0,0 +1,270 @@ +libxpm (1:3.5.12-1.1+deb11u1) bullseye-security; urgency=high + + * CVE-2023-43788: out of bounds read in XpmCreateXpmImageFromBuffer() + * CVE-2023-43789: out of bounds read on XPM with corrupted colormap + * Avoid CVE-2023-43786: stack exhaustion in XPutImage() + * Avoid CVE-2023-43787 (integer overflow in XCreateImage) + + -- Julien Cristau Tue, 03 Oct 2023 11:59:05 +0200 + +libxpm (1:3.5.12-1.1~deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Rebuild for bullseye + + -- Salvatore Bonaccorso Wed, 25 Jan 2023 21:19:41 +0100 + +libxpm (1:3.5.12-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2022-46285: Infinite loop on unclosed comments + * Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height + * configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE + * Fix CVE-2022-4883: compression commands depend on $PATH + * Prevent a double free in the error code path + * Use gzip -d instead of gunzip + * debian/rules: configure: Set explicitly runtime paths for {,un}compress + and gzip. + + -- Salvatore Bonaccorso Mon, 16 Jan 2023 21:01:44 +0100 + +libxpm (1:3.5.12-1) unstable; urgency=medium + + [ Andreas Boll ] + * New upstream release. + * Let uscan verify tarball signatures. + * Improve package description (Closes: #646992). Thanks, Justin B + Rye! + * Switch URLs to https. + * Remove obsolete xsfbs. + * Add placeholder comment into series file. + * Bump debhelper compat to 10. + - Drop build-deps on dh-autoreconf, automake and libtool. + * Stop passing --disable-silent-rules to configure, debhelper does + that for a while. + * Drop no longer needed dpkg-dev versioned build-dependency. + + [ Emilio Pozuelo Monfort ] + * Switch to -dbgsym packages. + + -- Emilio Pozuelo Monfort Thu, 22 Dec 2016 17:17:47 +0100 + +libxpm (1:3.5.11-1) unstable; urgency=medium + + * New upstream release. + * Rewrite debian/rules using dh, bump compat to 9, drop xsfbs. + * Remove Cyril from Uploaders. + * Bump x11proto-core-dev build-dep per configure.ac. + * Disable silent build rules. + * Override gzip-file-is-not-multi-arch-same-safe for xpm.PS.gz. + + -- Julien Cristau Sun, 13 Jul 2014 12:24:10 +0200 + +libxpm (1:3.5.10-1) unstable; urgency=low + + * Clean up libtool m4 files. + * Revert to shipping the doc as PS instead of PDF, so libxpm-dev can be + Multi-Arch: same. Thanks to Jakub Wilk. + * New upstream release. + * Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}. + + -- Julien Cristau Sat, 21 Apr 2012 11:21:07 +0200 + +libxpm (1:3.5.9-4) unstable; urgency=low + + * Exclude xpmutils from the debug package so it really is multi-arch safe + (closes: #646960). Thanks, Jakub Wilk! + * Don't require fakeroot for debian/rules clean. + * Replace the change from 1:3.5.9-3 with the equivalent fix committed + upstream. + + -- Julien Cristau Mon, 31 Oct 2011 16:41:44 +0100 + +libxpm (1:3.5.9-3) unstable; urgency=low + + * Apply patch from Ubuntu to fix build failure when using ld --no-add- + needed. Closes: #604494. + + -- Steve Langasek Fri, 21 Oct 2011 20:21:48 -0700 + +libxpm (1:3.5.9-2) unstable; urgency=low + + [ Cyril Brulebois ] + * Build xpm.pdf from xpm.PS.gz, and use debian/libxpm-dev.docs to + install it. That's the only available documentation we've got, so + let's ship it (Closes: #466081). + * Add ghostscript build-dep, for ps2pdf. + * Fix typo in long descriptions: specificied → specified. + + [ Julien Cristau ] + * Remove David from Uploaders. + * Drop Pre-Depends on x11-common, only needed for upgrades from the + monolith. + * Drop Replaces on xbase-clients 6.8.x. + + [ Steve Langasek ] + * Build for multiarch. + + -- Steve Langasek Fri, 21 Oct 2011 15:24:28 -0700 + +libxpm (1:3.5.9-1) unstable; urgency=low + + [ Julien Cristau ] + * Remove myself from Uploaders. + * Rename the build directory to not include DEB_BUILD_GNU_TYPE for no + good reason. Thanks, Colin Watson! + + [ Cyril Brulebois ] + * New upstrem release. + * Bump xutils-dev build-dep for new macros. + * Update debian/copyright from upstream COPYING. + * Drop debian/libxpm-dev.docs, xpm.PS is gone. + * Switch from --list-missing to --fail-missing for additional safety. + * Exclude libXpm.la from dh_install accordingly. + * Add myself to Uploaders. + + -- Cyril Brulebois Fri, 19 Nov 2010 10:59:03 +0100 + +libxpm (1:3.5.8-1) unstable; urgency=low + + [ Timo Aaltonen ] + * New upstream release. + * Bump the build-dep on xutils-dev (>= 1:7.5~1). + + [ Julien Cristau ] + * Bump Standards-Version to 3.8.3. + + -- Julien Cristau Wed, 25 Nov 2009 19:31:08 +0100 + +libxpm (1:3.5.7-2) unstable; urgency=low + + [ Julien Cristau ] + * Drop -1 debian revisions from build-deps. + * Bump Standards-Version to 3.7.3. + * Drop the XS- prefix from Vcs-* control fields. + * libxpm4{,-dbg} don't need to depend on x11-common. + * Add xpm.PS.gz to the -dev package (closes: #525551). + * Don't handle nostrip in DEB_BUILD_OPTIONS explicitly, dh_strip does the + right thing. + * Use filter instead of findstring to parse DEB_BUILD_OPTIONS in + debian/rules. + * Add README.source, bump Standards-Version to 3.8.1. + * Run autoreconf at build time. + * Allow parallel builds. + * Move -dbg package to new debug section. + * Don't pass -l and -L options to dh_shlibdeps, it seems to be useless + nowadays. + + [ Brice Goglin ] + * Add a link to www.X.org and a reference to the upstream module + in the long description. + + -- Julien Cristau Wed, 10 Jun 2009 14:59:30 +0200 + +libxpm (1:3.5.7-1) unstable; urgency=low + + * New upstream release. + * Add the upstream URL to debian/copyright. + * Use binary:Version instead of the deprecated Source-Version. + * Add myself to uploaders, and remove Branden with his permission. + + -- Julien Cristau Sat, 25 Aug 2007 10:50:50 +0200 + +libxpm (1:3.5.6-3) unstable; urgency=low + + * Put binary packages in the correct sections. + * Run dh_shlibdeps with -L libxpm4 -l debian/libxpm4/usr/lib so xpmutils + gets a dependency on libxpm4. Fixes bug noticed by checklib. + + -- Julien Cristau Mon, 21 May 2007 17:35:32 +0200 + +libxpm (1:3.5.6-2) unstable; urgency=low + + * Upload to unstable. + * Add XS-Vcs-Browser. + * Remove Fabio from Uploaders, with his permission. + + -- Julien Cristau Wed, 11 Apr 2007 16:31:32 +0200 + +libxpm (1:3.5.6-1) experimental; urgency=low + + * New upstream release. + * Add XS-Vcs-Git header to debian/control. + * Drop obsolete CVS information from the long descriptions. + * Install the upstream changelog. + + -- Julien Cristau Fri, 16 Feb 2007 16:24:44 +0100 + +libxpm (1:3.5.5-2) unstable; urgency=low + + [ Andres Salomon ] + * Test for obj-$(DEB_BUILD_GNU_TYPE) before creating it during build; + idempotency fix. + + [ Drew Parsons ] + * dbg package has priority extra. + + -- David Nusinow Wed, 30 Aug 2006 17:12:38 -0400 + +libxpm (1:3.5.5-1) experimental; urgency=low + + * New upstream release + * Run dh_install with --list-missing + * Bump debhelper compat to 5 + * Remove extra x11-common dep in the -dev package + * Version x11-common pre-dep in the -dev package to use 1:7.0.0 to match the + rest of Debian and shut lintian up + * Add the sxpm and cxpm manpages to xpm-utils + + -- David Nusinow Mon, 3 Jul 2006 19:23:49 -0400 + +libxpm (1:3.5.4.2-3) unstable; urgency=low + + * Reorder makeshlib command in rules file so that ldconfig is run + properly. Thanks Drew Parsons and Steve Langasek. + + -- David Nusinow Tue, 18 Apr 2006 21:50:00 -0400 + +libxpm (1:3.5.4.2-2) unstable; urgency=low + + * Upload to unstable + + -- David Nusinow Thu, 23 Mar 2006 22:45:13 -0500 + +libxpm (1:3.5.4.2-1) experimental; urgency=low + + * First upload to Debian + + -- David Nusinow Thu, 29 Dec 2005 20:54:06 -0500 + +libxpm (1:3.5.2-5) breezy; urgency=low + + * Add a Build-Depends on libxext-dev. For my next stunning move, I'll + actually pay attention to what I'm doing. + + -- Daniel Stone Sat, 23 Jul 2005 01:33:31 +1000 + +libxpm (1:3.5.2-4) breezy; urgency=low + + * Bump Build-Depends on libx11-dev, libxt-dev, libxext-dev and + x11proto-core-dev to avoid _XOPEN_SOURCE. + + -- Daniel Stone Sat, 23 Jul 2005 00:24:13 +1000 + +libxpm (1:3.5.2-3) breezy; urgency=low + + * Fix cat-walks-across-keyboard attack in debian/control. + + -- Daniel Stone Wed, 20 Jul 2005 21:18:57 +1000 + +libxpm (1:3.5.2-2) breezy; urgency=low + + * blah blah xpmutils Replaces: xbase-clients (<< 6.8.2-38) blah blah + + -- Daniel Stone Wed, 20 Jul 2005 18:45:27 +1000 + +libxpm (1:3.5.2-1) breezy; urgency=low + + * First libxpm release. + + -- Daniel Stone Mon, 16 May 2005 22:10:17 +1000 --- libxpm-3.5.12.orig/debian/compat +++ libxpm-3.5.12/debian/compat @@ -0,0 +1 @@ +10 --- libxpm-3.5.12.orig/debian/control +++ libxpm-3.5.12/debian/control @@ -0,0 +1,64 @@ +Source: libxpm +Section: x11 +Priority: optional +Maintainer: Debian X Strike Force +Build-Depends: + debhelper (>= 10), + quilt, + xutils-dev (>= 1:7.5+4), + libx11-dev (>= 1:0.99.2), + libxt-dev (>= 1:0.99.1-5), + x11proto-core-dev (>= 7.0.17), + libxext-dev (>= 1:0.99.1), + pkg-config, +Standards-Version: 3.9.8 +Homepage: https://www.x.org +Vcs-Git: https://anonscm.debian.org/git/pkg-xorg/lib/libxpm.git +Vcs-Browser: https://anonscm.debian.org/git/pkg-xorg/lib/libxpm.git + +Package: libxpm4 +Section: libs +Architecture: any +Multi-Arch: same +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${shlibs:Depends}, + ${misc:Depends}, +Description: X11 pixmap library + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package provides runtime support for XPM format. + +Package: libxpm-dev +Section: libdevel +Architecture: any +Multi-Arch: same +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + libxpm4 (= ${binary:Version}), + libx11-dev, + x11proto-core-dev, +Description: X11 pixmap library (development headers) + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package contains the development headers for the libxpm4 library. + Non-developers likely have little use for this package. + +Package: xpmutils +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${shlibs:Depends}, + ${misc:Depends}, +Description: X11 pixmap utilities + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package provides two tools: cxpm (to check the integrity of an + XPM file) and sxpm (to view XPM files). --- libxpm-3.5.12.orig/debian/copyright +++ libxpm-3.5.12/debian/copyright @@ -0,0 +1,71 @@ +This package was downloaded from +https://xorg.freedesktop.org/releases/individual/lib/ + +Copyright (C) 1989-95 GROUPE BULL + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +GROUPE BULL BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of GROUPE BULL shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from GROUPE BULL. + +Copyright (C) 1998 Arnaud LE HORS + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Arnaud LE HORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Arnaud LE HORS shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Arnaud LE HORS. + +Copyright (C) 19896 Lorens Younes + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Lorens Younes BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Lorens Younes shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Lorens Younes. --- libxpm-3.5.12.orig/debian/libxpm-dev.docs +++ libxpm-3.5.12/debian/libxpm-dev.docs @@ -0,0 +1 @@ +doc/xpm.PS.gz --- libxpm-3.5.12.orig/debian/libxpm-dev.install +++ libxpm-3.5.12/debian/libxpm-dev.install @@ -0,0 +1,4 @@ +usr/include/X11/* +usr/lib/*/libXpm.a +usr/lib/*/libXpm.so +usr/lib/*/pkgconfig/xpm.pc --- libxpm-3.5.12.orig/debian/libxpm-dev.lintian-overrides +++ libxpm-3.5.12/debian/libxpm-dev.lintian-overrides @@ -0,0 +1,2 @@ +# we don't touch it, so it's the same on all archs +gzip-file-is-not-multi-arch-same-safe usr/share/doc/libxpm-dev/xpm.PS.gz --- libxpm-3.5.12.orig/debian/libxpm4.install +++ libxpm-3.5.12/debian/libxpm4.install @@ -0,0 +1 @@ +usr/lib/*/libXpm.so.4* --- libxpm-3.5.12.orig/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +++ libxpm-3.5.12/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch @@ -0,0 +1,32 @@ +From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 17:50:39 -0700 +Subject: [PATCH libXpm 1/7] Fix CVE-2023-43788: Out of bounds read in + XpmCreateXpmImageFromBuffer + +When the test case for CVE-2022-46285 was run with the Address Sanitizer +enabled, it found an out-of-bounds read in ParseComment() when reading +from a memory buffer instead of a file, as it continued to look for the +closing comment marker past the end of the buffer. + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data.c b/src/data.c +index 7524e65..0b0f1f3 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -108,7 +108,7 @@ ParseComment(xpmData *data) + n++; + s2++; + } while (c == *s2 && *s2 != '\0' && c); +- if (*s2 == '\0') { ++ if (*s2 == '\0' || c == '\0') { + /* this is the end of the comment */ + notend = 0; + data->cptr--; +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch +++ libxpm-3.5.12/debian/patches/0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch @@ -0,0 +1,44 @@ +From a21e7bcf0ca3d8c1605b2721a545440260870438 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:29:29 -0700 +Subject: [PATCH libXpm 2/7] test: Add test case for CVE-2023-43789 (corrupt + colormap info) + +Generated by clang's -fsanitize/libfuzzer + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/README.md | 3 +++ + test/pixmaps/invalid/corrupt-colormap.xpm | Bin 0 -> 156 bytes + 2 files changed, 3 insertions(+) + create mode 100644 test/pixmaps/invalid/corrupt-colormap.xpm + +diff --git a/test/pixmaps/README.md b/test/pixmaps/README.md +index f51af00..4f2cbae 100644 +--- a/test/pixmaps/README.md ++++ b/test/pixmaps/README.md +@@ -58,6 +58,9 @@ return XpmFileInvalid when parsed. + - zero-width.xpm & zero-width-v1.xpm - These files declare a width of 0 + and a height of nearly UINT_MAX, to test for CVE-2022-44617 + ++- corrupt-colormap.xpm - This file was generated by the clang libfuzzer, ++ and serves as a test for CVE-2023-43789 ++ + no-mem + ------ + +diff --git a/test/pixmaps/invalid/corrupt-colormap.xpm b/test/pixmaps/invalid/corrupt-colormap.xpm +new file mode 100644 +index 0000000000000000000000000000000000000000..46cd738e8dd3512434130018dc4028fd93d049a0 +GIT binary patch +literal 156 +zcmY++!3u*g5QJf`?j!Uxo(qMBzDA+P_O#fzXmCv+5!9z|jX4Q(8b1C8@7L3iG1&LO +zof_DnAtt&37EwCX6PCfv0wk#GhnWvSpA7ma;&<`Y){aH^;M1& + +literal 0 +HcmV?d00001 + +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +++ libxpm-3.5.12/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch @@ -0,0 +1,36 @@ +From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:30:34 -0700 +Subject: [PATCH libXpm 3/7] Fix CVE-2023-43789: Out of bounds read on XPM with + corrupted colormap + +Found with clang's libfuzzer + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/data.c b/src/data.c +index 0b0f1f3..6e87455 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -259,13 +259,13 @@ xpmNextWord( + int c; + + if (!data->type || data->type == XPMBUFFER) { +- while (isspace(c = *data->cptr) && c != data->Eos) ++ while ((c = *data->cptr) && isspace(c) && (c != data->Eos)) + data->cptr++; + do { + c = *data->cptr++; + *buf++ = c; + n++; +- } while (!isspace(c) && c != data->Eos && n < buflen); ++ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen)); + n--; + data->cptr--; + } else { +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +++ libxpm-3.5.12/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch @@ -0,0 +1,294 @@ +From edb97396620f019f8d2e707ad3fbaf6bbbd5ed36 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Tue, 5 Sep 2023 17:01:58 -0700 +Subject: [PATCH libXpm 4/7] test: Add test case for CVE-2023-43786 (stack + exhaustion in PutImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/other/overflow-stackexhaustion.xpm | 277 ++++++++++++++++++++++++ + 1 file changed, 277 insertions(+) + create mode 100644 test/pixmaps/other/overflow-stackexhaustion.xpm + +--- /dev/null ++++ b/test/pixmaps/other/overflow-stackexhaustion.xpm +@@ -0,0 +1,277 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"000000090000 1 247 1 1 1", ++/* colors */ ++" s background m black c #ffffffffffff", ++". s topShadowColor m white c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++" ++ s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"} s bottomShadowColor m black c #ffffffffffff", ++"; s bottomShadowColor m black c #ffffffffffff", ++". s bottomShadowColor m black c #ffffffffffff", ++/* pixels */ ++" }; --- libxpm-3.5.12.orig/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +++ libxpm-3.5.12/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch @@ -0,0 +1,270 @@ +From 3446b4dbf970223f16f8ea294b723fc2e86bc4c4 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 6 Sep 2023 17:34:33 -0700 +Subject: [PATCH libXpm 5/7] Avoid CVE-2023-43786: stack exhaustion in + XPutImage() + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X11 pixmap with +dimensions larger than the unsigned 16-bit integers used in the +X11 protocol for the dimensions. + +Reported by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + src/CrPFrBuf.c | 28 +++++++++++++++++++++++----- + src/CrPFrDat.c | 31 +++++++++++++++++++++++-------- + src/CrPFrI.c | 9 ++++++++- + src/RdFToP.c | 28 +++++++++++++++++++++++----- + src/XpmI.h | 4 ++-- + src/create.c | 28 +++++++++++++++++++++++----- + 6 files changed, 102 insertions(+), 26 deletions(-) + +--- a/src/CrPFrBuf.c ++++ b/src/CrPFrBuf.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrDat.c ++++ b/src/CrPFrDat.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromData( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,19 +63,34 @@ XpmCreatePixmapFromData( + attributes); + + if (ErrorStatus != XpmSuccess) +- return (ErrorStatus); +- +- if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrI.c ++++ b/src/CrPFrI.c +@@ -37,7 +37,7 @@ + #endif + #include "XpmI.h" + +-void ++int + xpmCreatePixmapFromImage( + Display *display, + Drawable d, +@@ -47,6 +47,11 @@ xpmCreatePixmapFromImage( + GC gc; + XGCValues values; + ++ /* X Pixmaps are limited to unsigned 16-bit height/width */ ++ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) { ++ return XpmNoMemory; ++ } ++ + *pixmap_return = XCreatePixmap(display, d, ximage->width, + ximage->height, ximage->depth); + /* set fg and bg in case we have an XYBitmap */ +@@ -59,4 +64,6 @@ xpmCreatePixmapFromImage( + ximage->width, ximage->height); + + XFreeGC(display, gc); ++ ++ return XpmSuccess; + } +--- a/src/RdFToP.c ++++ b/src/RdFToP.c +@@ -46,7 +46,7 @@ XpmReadFileToPixmap( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -62,16 +62,34 @@ XpmReadFileToPixmap( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/XpmI.h ++++ b/src/XpmI.h +@@ -188,8 +188,8 @@ FUNC(xpmSetAttributes, void, (XpmAttribu + XpmInfo *info)); + + #if !defined(FOR_MSW) && !defined(AMIGA) +-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d, +- XImage *ximage, Pixmap *pixmap_return)); ++FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d, ++ XImage *ximage, Pixmap *pixmap_return)); + + FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, + XImage **ximage_return, +--- a/src/create.c ++++ b/src/create.c +@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage( + &shapeimage : NULL), + attributes); + if (ErrorStatus < 0) +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } --- libxpm-3.5.12.orig/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +++ libxpm-3.5.12/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch @@ -0,0 +1,48 @@ +From ec92147890b7985756d8917c25363777de4599fe Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:55:25 -0700 +Subject: [PATCH libXpm 6/7] test: Add test case for CVE-2023-43787 (integer + overflow in XCreateImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/invalid/width-overflow.xpm | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 test/pixmaps/invalid/width-overflow.xpm + +--- /dev/null ++++ b/test/pixmaps/invalid/width-overflow.xpm +@@ -0,0 +1,31 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"536871019 1 2 1 1 1", ++/* colors */ ++" c #40a100", ++". c #434241", ++/* pixels */ ++" .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... --- libxpm-3.5.12.orig/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +++ libxpm-3.5.12/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch @@ -0,0 +1,36 @@ +From 3bc3d486bcdb1d95bcb0ebc7d6fe5a18dc4eee95 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:59:07 -0700 +Subject: [PATCH libXpm 7/7] Avoid CVE-2023-43787 (integer overflow in + XCreateImage) + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X Image for +which the width * depth would overflow the signed int used to +store the bytes_per_line value. + +Signed-off-by: Alan Coopersmith +--- + src/create.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/create.c b/src/create.c +index ec562b2..b8c80d2 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -997,6 +997,11 @@ CreateXImage( + *image_return = NULL; + return XpmNoMemory; + } ++ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; ++ return XpmNoMemory; ++ } + /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) { + XDestroyImage(*image_return); +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch @@ -0,0 +1,143 @@ +From 198839ca64dc117b35339f38c83d483ab6b561b6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 7 Jan 2023 12:44:28 -0800 +Subject: Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +image has a width of 0 and a very large height, the ParsePixels() function +will loop over the entire height calling getc() and ungetc() repeatedly, +or in some circumstances, may loop seemingly forever, which may cause a +denial of service to the calling program when given a small crafted XPM +file to parse. + +Closes: #2 + +Reported-by: Martin Ettl +Signed-off-by: Alan Coopersmith +--- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +--- a/src/data.c ++++ b/src/data.c +@@ -195,19 +195,23 @@ xpmNextString(xpmData *data) + register char c; + + /* get to the end of the current string */ +- if (data->Eos) +- while ((c = *data->cptr++) && c != data->Eos); ++ if (data->Eos) { ++ while ((c = *data->cptr++) && c != data->Eos && c != '\0'); ++ ++ if (c == '\0') ++ return XpmFileInvalid; ++ } + + /* + * then get to the beginning of the next string looking for possible + * comment + */ + if (data->Bos) { +- while ((c = *data->cptr++) && c != data->Bos) ++ while ((c = *data->cptr++) && c != data->Bos && c != '\0') + if (data->Bcmt && c == data->Bcmt[0]) + ParseComment(data); + } else if (data->Bcmt) { /* XPM2 natural */ +- while ((c = *data->cptr++) == data->Bcmt[0]) ++ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') + ParseComment(data); + data->cptr--; + } +@@ -216,9 +220,13 @@ xpmNextString(xpmData *data) + FILE *file = data->stream.file; + + /* get to the end of the current string */ +- if (data->Eos) ++ if (data->Eos) { + while ((c = Getc(data, file)) != data->Eos && c != EOF); + ++ if (c == EOF) ++ return XpmFileInvalid; ++ } ++ + /* + * then get to the beginning of the next string looking for possible + * comment +@@ -234,7 +242,7 @@ xpmNextString(xpmData *data) + Ungetc(data, c, file); + } + } +- return 0; ++ return XpmSuccess; + } + + +--- a/src/parse.c ++++ b/src/parse.c +@@ -391,6 +391,13 @@ ParsePixels( + { + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ + unsigned int a, x, y; ++ int ErrorStatus; ++ ++ if ((width == 0) && (height != 0)) ++ return (XpmFileInvalid); ++ ++ if ((height == 0) && (width != 0)) ++ return (XpmFileInvalid); + + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) +@@ -428,7 +435,11 @@ ParsePixels( + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int c = xpmGetC(data); + +@@ -475,7 +486,11 @@ do \ + } + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int cc1 = xpmGetC(data); + if (cc1 > 0 && cc1 < 256) { +@@ -515,7 +530,11 @@ do \ + xpmHashAtom *slot; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +@@ -535,7 +554,11 @@ do \ + } + } else { + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); --- libxpm-3.5.12.orig/debian/patches/Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch @@ -0,0 +1,36 @@ +From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: Fix CVE-2022-46285: Infinite loop on unclosed comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.15.2 + --- libxpm-3.5.12.orig/debian/patches/Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch @@ -0,0 +1,114 @@ +From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: Fix CVE-2022-4883: compression commands depend on $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +--- + README.md | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++dnl Helper macro to find absolute path to program and add a #define for it ++AC_DEFUN([XPM_PATH_PROG],[ ++AC_PATH_PROG([$1], [$2], []) ++AS_IF([test "x$$1" = "x"], ++ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])]) ++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) ++]) dnl End of AC_DEFUN([XPM_PATH_PROG]... ++ + # Optional feature: When a filename ending in .Z or .gz is requested, + # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to + # handle it. +@@ -63,6 +71,12 @@ AC_ARG_ENABLE(open-zfile, + AC_MSG_RESULT([$OPEN_ZFILE]) + if test x$OPEN_ZFILE = xno ; then + AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++else ++ XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) ++ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) ++ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) ++ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) ++ AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); + } + else + #endif /* z-files */ +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -336,10 +336,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif --- libxpm-3.5.12.orig/debian/patches/Prevent-a-double-free-in-the-error-code-path.patch +++ libxpm-3.5.12/debian/patches/Prevent-a-double-free-in-the-error-code-path.patch @@ -0,0 +1,39 @@ +From 1b01c4424bec256116f8e8283430eb241e3f5d99 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Jan 2023 15:05:39 +1000 +Subject: Prevent a double free in the error code path + +xpmParseDataAndCreate() calls XDestroyImage() in the error path. +Reproducible with sxpm "zero-width.xpm", that file is in the test/ +directory. + +The same approach is needed in the bytes_per_line == 0 condition though +here it just plugs a memory leak. +--- + src/create.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/create.c b/src/create.c +index 4a85c78..f92ffef 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -994,11 +994,15 @@ CreateXImage( + #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; + } + /* now that bytes_per_line must have been set properly alloc data */ +- if((*image_return)->bytes_per_line == 0 || height == 0) ++ if((*image_return)->bytes_per_line == 0 || height == 0) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; ++ } + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); + +-- +2.39.0 + --- libxpm-3.5.12.orig/debian/patches/Use-gzip-d-instead-of-gunzip.patch +++ libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch @@ -0,0 +1,50 @@ +From 8178eb0834d82242e1edbc7d4fb0d1b397569c68 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 16 Jan 2023 19:44:52 +1000 +Subject: Use gzip -d instead of gunzip + +GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call +/usr/bin/gunzip with the correct built-in path, the actual gzip call +will use whichever gzip it finds first, making our patch pointless. + +Fix this by explicitly calling gzip -d instead. + +https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in + +[Part of the fix for CVE-2022-4883] +Signed-off-by: Peter Hutterer +--- + configure.ac | 3 +-- + src/RdFToI.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -57,7 +57,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path + ]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + + # Optional feature: When a filename ending in .Z or .gz is requested, +-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# open a pipe to a newly forked compress/uncompress/gzip command to + # handle it. + AC_MSG_CHECKING([whether to handle compressed pixmaps]) + case $host_os in +@@ -75,7 +75,6 @@ else + XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) +- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -251,7 +251,7 @@ OpenReadFile( + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); + } + else + #endif /* z-files */ --- libxpm-3.5.12.orig/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch +++ libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch @@ -0,0 +1,65 @@ +From 4841039e5385f264d12757903894f47c64f59361 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 5 Jan 2023 15:42:36 -0800 +Subject: configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE + +Documents the two compression options in the README, makes their +configure options reflect the interdependency of their implementation, +and makes the configure script report their configuration. + +Signed-off-by: Alan Coopersmith +--- + configure.ac | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -48,25 +48,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++# Optional feature: When a filename ending in .Z or .gz is requested, ++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# handle it. ++AC_MSG_CHECKING([whether to handle compressed pixmaps]) ++case $host_os in ++ *mingw*) zpipe_default="no" ;; ++ *) zpipe_default="yes" ;; ++esac ++AC_ARG_ENABLE(open-zfile, ++ AS_HELP_STRING([--enable-open-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes]) ++AC_MSG_RESULT([$OPEN_ZFILE]) ++if test x$OPEN_ZFILE = xno ; then ++ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++fi ++ + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz + # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile ++AC_MSG_CHECKING([whether to search for compressed pixmaps]) + AC_ARG_ENABLE(stat-zfile, +- AS_HELP_STRING([--enable-stat-zfile], +- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]), +- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes]) ++ AS_HELP_STRING([--enable-stat-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE]) ++AC_MSG_RESULT([$STAT_ZFILE]) + if test x$STAT_ZFILE = xyes ; then +- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) ++ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) + fi + +- +-case $host_os in +- *mingw*) +- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +- ;; +- *) +- ;; +-esac +- + AC_CONFIG_FILES([Makefile + doc/Makefile + include/Makefile --- libxpm-3.5.12.orig/debian/patches/series +++ libxpm-3.5.12/debian/patches/series @@ -0,0 +1,14 @@ +Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch +Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +configure-add-disable-open-zfile-instead-of-requirin.patch +Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +Prevent-a-double-free-in-the-error-code-path.patch +Use-gzip-d-instead-of-gunzip.patch +0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +#0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch +0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +stdint.patch --- libxpm-3.5.12.orig/debian/patches/stdint.patch +++ libxpm-3.5.12/debian/patches/stdint.patch @@ -0,0 +1,14 @@ +--- + src/CrPFrI.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/CrPFrI.c ++++ b/src/CrPFrI.c +@@ -36,6 +36,7 @@ + #include + #endif + #include "XpmI.h" ++#include + + int + xpmCreatePixmapFromImage( --- libxpm-3.5.12.orig/debian/rules +++ libxpm-3.5.12/debian/rules @@ -0,0 +1,10 @@ +#!/usr/bin/make -f + +%: + dh $@ --with quilt --builddirectory=build/ + +override_dh_auto_configure: + dh_auto_configure -- XPM_PATH_COMPRESS=/usr/bin/compress XPM_PATH_UNCOMPRESS=/bin/uncompress XPM_PATH_GZIP=/bin/gzip + +override_dh_install: + dh_install --fail-missing -XlibXpm.la --- libxpm-3.5.12.orig/debian/upstream/signing-key.asc +++ libxpm-3.5.12/debian/upstream/signing-key.asc @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFeKY50BEADAX0lod3IVceb/IWJn3kTAcO2P7PWlcBiyUDaq5b2kFkliKleZ +ec4LoCHakQBlkRBMPNwOOxvADNk3tLQjBDpbYr6lQIrN+AxMGkXBhJ82T3bsDvlj +3Z1wRJ1zVA7eMIktsk0FAoJxV1y7e3sBKcP0eTlXqXvR2djhi+FW+ueJDAJIFSkb +uFirgwtX5t8nt8jCmIl75KNUKOakoENY3hLWtr16W8fO1JGkEhghI2mXcz664KTd +MPZp6JH0/8UHTHzmATOCTqNxoDtMTi2l5059Lh/nhmso9moTYqyKmaJP2rnZUr62 +97sRMG4WcxaYfWpPyO3MCmDyGeh4sW0OC06PpED3i9xMzf/kMkMdY4ZIFcLRcPtf +LIJhw+lc/GE1Rqe961IB5xCgnZezB7ZIL+ZlOAMwKGkq7lLbcZr2QZn84lpABKF0 +AvxECoJ4etmIcdbDVmsw18AhA3u9sr98hS5IXDyeos3Xwz6Abml8aPrhqhkKvo+J +Kcq9FNYHg0RRlos0TqocjDzGnUjEYrmIopLcwIu2SnsNSJTygZGtqrpT+2sGEqvm +k6Oyk95QCa580zqldvxe3CG0vrAfPvoG7irllM68TS4JcqqDHTq6eupUv9ZdIzXf +eyTHa5cytGahgVtUcui1lzqcCBkqwN8TKl+0wCcEnxRasHJy3A2Gp+AG3wARAQAB +tCJNYXR0aGlldSBIZXJyYiA8bWF0dGhpZXVAaGVycmIuZXU+iQI+BBMBAgAoBQJX +imOdAhsDBQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo ++PF1EACldzZPNYaC9H5E9sMn9pMsJTucBYVUy74Aw6MWAiAzRpxb9DmySmC2oEYW +JJkwDTwv6M0Na0ed6zD79GKtAalORz2GppZpS7uoINClElWoM5TCYph6linyv9Wj +OTlcbpX0Jqw0tdHNI2UOEjvBP3vW9kVYpEhfnHET8Ncp55j1hzoqxOhGIBE/67zc +cLAenONAvA3YN3tHTGaOaFv+vuCFRJx9FpKbGHmdUPd3MtLqtaA4EQvDvDEholEI +eWrjmdXJibSet6Amc5AIdFaQevZiADjjMh8MINw/6OEy9OB4s+z1RzgOrHgLiIZm +dlP6WrNjXQwl2gmNPhctGaSHM+j2+3gckNGlI4LQYxNtKvI4iv/CoHDYmwgrcrZO +TwFHfqt0LwqjpsU203Hw609oWYcxLeGZdITBjDz20UcfsmKQDqrBq3P1FuC5GBW3 +5bEa3wAhyE+/WKhJ94bXiHmpKsp50va3bEe17uQcYd8+E8L53aR7XP87qaHx//Mu ++OQa5Wc2d1OFHf1Mi62nbzr7pws/Mf7OSf/tnhRthuwtlfYnsUVo8usUKL/xStqo +Ul4kc/Q81AlyaZfr7dbxsQWm2q3ksLaMaAxnk0p+kMXVzXZ9GKNOgUOJdbahORs5 +RU2f44xzfNavb63u3McADtaXskl+KHB4uDbGbGESVhm5PULk37QnTWF0dGhpZXUg +SGVycmIgPG1hdHRoaWV1LmhlcnJiQGxhYXMuZnI+iQI+BBMBAgAoBQJXlJ63AhsD +BQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo+PKID/wM +II+2d11clp1X7eZgkxkAHUhI2W3NSesuFnjkkQRKQoVMokDdeSOkBhMJuWoFfbZk +jYs2VHU9029rDqcoDSqGwo2IffvrXXJ4SjOTjlvXS1lr/H2VdWRbq8ImnDwSsoiD +dWB3dZyqzf7ABKZ7ccA+NMSs6NxeEN/0+0sTJ386Zp480ByNX0uPqYSq5lX/VEke +nI8r02u2ZfuykhGkT0sM013VprfYLa+6HvF+QT9KfP220mqRbonaDkYvCxwjCMzd +rUmvyqw3VsooUpg/W/PmDNeShSuOxebaGnFyGTNvTarElCBdynFD01dqOecOqfY8 +gy+PJ1aF1qjmf+RQD/SZq+gvgyXqyBhJy7zgJnzzNWzDlUIw0ZOLyZxzFR7lRV79 +2mrGgczlQr5rLAgBy2pgwsCmP7nFx50r4ft2juugnQixoOBU/YfhBplM76EROaCc +MTs5nPEqzJ9p4SNkPcK8AroR2Ka3+f7t+XOoHpx/XhJOBYlPaUmoFkWKr0Y8BWWh +1nJxyFKrSNbwUgam8ypZzwzbI1vDiX8Ol6NpEeOLwzFNT0pyTdC9UN93M1VIyKWC +1vaeMogUREKT6SmDjRn3fISktZ0IGVf2AnFMhtgZ46TJO4BZgDdZAjTkZc/lP0yF +Nl6MpGwnaymmL50ckT77OdlfIcXFwvNPFwWlFPlcyrkCDQRXimOdARAA4otssvZm +sKg+g0bVyJHhn/YOHLYMih+Xf07xJHyalH0UCGnGdHZwl0B97G950SwQ7yVXtGa9 +CAPe97clE6dPD6jaumQ13BHavXM+ThgjCe8V56ayYcdzqFkxlCx0Uocoa63G0/cE +TiOqeqhNZs8JY+D7l83jCa4lU/1pLusbkCpCQ7d5/FFLz7QSihzJWp+UTsjbNik5 +spaseEMGFRKUcB3SZ/l1dTgc0wBQ1hlvLX+h4/sG0iUs1pVpo5ORC+bUfWRokl96 +uj5QZz5rY21FaNSP1rB1HKHNkwhxifBCHQMhYGTXvD7GH+JNyF2TdRmo7eBCfAPJ +aP3mX9t2SkCipdSsUs+Uuyib9MLA71ApW90AGiRm6HtOCxR0c3+qQRNIdFVm8mnM +hCxXRexf6Z2wZdXXy6uY0LVRgI0o31NPJPk8l2Hnb/kHGxjyUFzEWh65J/eA368d +4m8uF+Rr7WWlpQjwgWHU12kGThEVFFBFh2gmeIjYZdDDVhCi2mQ6lGSV2Pt7pZYL +/PPChWLBqrVBkIUQ0GV22nRYvGdaIv2LVPu8PggbPs/wwh35nJ3rUQyJF55CFV5y +WIWAWXfRYTKG9jkt+ncjZLEBxDO26zzO/MjIVPZxGyYryXEOgr6xp38xbyX9FpjL +KBaIueLWEyphVjBb1uUpDGx+UDYe9vbJjPUAEQEAAYkCJQQYAQIADwUCV4pjnQIb +DAUJA8JnAAAKCRBoc5PuN9Eo+D8dEACa60Q3ta6BWyHG0SOgfYGHE15LodACVHNI +N6Ou+JtmLarMW/AvPclNC25mxZV0ywLbun4CnJ9qYbt/Kx7djn48mrNa0rKN8Q+V +K5RvQA1kD890yzwu5jH6r5BQ8VBcfsPvsvatgbquzFn+NNiH9U4xRf/9BSY2Zk3G +yA15xG0T9zoklOMg8MWbeRaJPkDELyaHPWerbO7rebynePENSFPz3o3g+K9WcCM2 +xkEL571SmT4z3Mp/p0pwemWBCP2WoKCnSjAGiiHpCFru3SlZhRIvNJyK5jeS/IU6 +d5qeTBse6TXzp6Q4xkzACIN66P5SG/YY3/ONbfs6wB3lIkvVC9n7jEXjMK1T0fK8 +9DBDjzvAkJcKLLuIljjkMhRWSCED74sn+MlaWm0xMeo276EnaVILNcrHecSr8+eX +pVXSWEJ1+ErzZladJC+CrqUm0QljPV8Smtmk9MvOLHZ4qL4bI4Hu7MywuGNrLSol +qO0pAT1AjaYTRuH2MhZ6mJe/EtSl0EHXEkcDteE4jbYj3lwVhA1c/So0CdayImmD +/0tdqUfekw4va8PpbQ0wroL0XUvf3wl6HOhFhahWSqqb1fVr2slVttkaMb8M4MPt +Ka2m4qiiuGYivPIAVapSEA4DYc+krVqVXV/yDd3T7XcNtnClVo+rmOn5WiGq24am +79+hF4bWyw== +=WW1Z +-----END PGP PUBLIC KEY BLOCK----- --- libxpm-3.5.12.orig/debian/watch +++ libxpm-3.5.12/debian/watch @@ -0,0 +1,4 @@ +#git=git://anongit.freedesktop.org/xorg/lib/libXpm +version=3 +opts=pgpsigurlmangle=s/$/.sig/ \ +https://xorg.freedesktop.org/releases/individual/lib/ libXpm-(.*)\.tar\.gz --- libxpm-3.5.12.orig/debian/xpmutils.install +++ libxpm-3.5.12/debian/xpmutils.install @@ -0,0 +1,4 @@ +usr/bin/cxpm +usr/bin/sxpm +usr/share/man/man1/sxpm.1 +usr/share/man/man1/cxpm.1