multiple security holes in XPM code (CAN-2004-0914)

Automatically imported from Debian bug report #294099 http://bugs.debian.org/294099

Message-ID: <email address hidden>
Date: Mon, 7 Feb 2005 15:48:01 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: multiple security holes in XPM code (CAN-2004-0914)

Package: lesstif1-1
Severity: grave
Tags: security

CAN-2004-0914 describes multiple security holes in libxpm:

  Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFre=
e86
  and other packages, include (1) multiple integer overflows, (2) out-of-bo=
unds
  memory accesses, (3) directory traversal, (4) shell metacharacter, (5) en=
dless
  loops, and (6) memory leaks, which could allow remote attackers to obtain
  sensitive information, cause a denial of service (application crash), or
  execute arbitary code via a certain XPM image file. NOTE: it is highly li=
kely
  that this candidate will be SPLIT into other candidates in the future, per
  CVE's content decisions.

lesstif includes code derived from this library that is apparently also
vulnerable. A new upstream release, 0.94.0, fixes these problems:

http://www.lesstif.org/ReleaseNotes.html

--=20
see shy jo

Message-ID: <email address hidden>
Date: Wed, 16 Feb 2005 11:28:19 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: multiple security holes in XPM code (CAN-2004-0914)

--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Please note that the new upstream only fixes lesstif2, not lesstif1:

This directory contains fixed sources:

  http://cvs.sourceforge.net/viewcvs.py/lesstif/lesstif/lib/Xm-2.1/

However, this doesn't:

  http://cvs.sourceforge.net/viewcvs.py/lesstif/lesstif/lib/Xm/

However, fixing that is an enormous task. In this directory the Xpm
source is merged into one big C file and function names have been
renamed, so that the huuuuge patch must be applied manually.

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCEyBDDecnbV4Fd/IRAmlHAJ0Vv3ftk++FugzMV5VP4S3lNF9CZACgwv0r
+zyL7RqOIT1PpuQe8NSIPtg=
=xK2K
-----END PGP SIGNATURE-----

--PEIAKu/WMn1b1Hv9--

Message-ID: <email address hidden>
Date: Wed, 16 Feb 2005 11:31:11 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: multiple security holes in XPM code (CAN-2004-0914)

--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi again,

Martin Pitt [2005-02-16 11:28 +0100]:
> Hi!
>=20
> Please note that the new upstream only fixes lesstif2, not lesstif1:
>=20
> This directory contains fixed sources:
>=20
> http://cvs.sourceforge.net/viewcvs.py/lesstif/lesstif/lib/Xm-2.1/
>=20
> However, this doesn't:
>=20
> http://cvs.sourceforge.net/viewcvs.py/lesstif/lesstif/lib/Xm/

In addition, lesstif1 does not even contain the previous Xpm fix
(CAN-2004-0687 and CAN-2004-0688).

What a mess. :-(

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--BXVAT5kNtrzKuDFl
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCEyDvDecnbV4Fd/IRAkeJAKCrXMvvAcYfYGH6VF5gWBep1qBmtQCfQe90
0HsmnbNhEPqWuQ9ATD6BAsU=
=LjBS
-----END PGP SIGNATURE-----

--BXVAT5kNtrzKuDFl--

Message-ID: <email address hidden>
Date: Wed, 16 Feb 2005 12:22:04 +0100
From: Martin Schulze <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: multiple security holes in XPM code (CAN-2004-0914)

Martin Pitt wrote:
> Hi again,
>
> Martin Pitt [2005-02-16 11:28 +0100]:
> > Hi!
> >
> > Please note that the new upstream only fixes lesstif2, not lesstif1:
> >
> > This directory contains fixed sources:
> >
> > http://cvs.sourceforge.net/viewcvs.py/lesstif/lesstif/lib/Xm-2.1/
> >
> > However, this doesn't:
> >
> > http://cvs.sourceforge.net/viewcvs.py/lesstif/lesstif/lib/Xm/
>
> In addition, lesstif1 does not even contain the previous Xpm fix
> (CAN-2004-0687 and CAN-2004-0688).
>
> What a mess. :-(

An update is in the works as far as I know.

Regards,

 Joey

--
Ten years and still binary compatible. -- XFree86

Please always Cc to me when replying to me on the lists.

lesstif2 fixed for Warty in USN-83-1. I wait a bit to sync the Debian fix for Hoary.

Fixing lesstif1 for Warty is still outstanding; providing a patch is a giant
task, and it seems that the Debian maintainer already works on it, so I defer
the update. lesstif1 is not used in Warty/Hoary anyway and is abandoned
upstream, so lesstif-dev (and with it lesstif1) was dropped from the Supported
seed for Hoary.

The sid package has not changed for some time; is the maintainer active? We may
need to fix this independently for Hoary

(In reply to comment #6)
> The sid package has not changed for some time; is the maintainer active? We may
> need to fix this independently for Hoary

Please see my comment #5. Most of the bugs are already fixed in lesstif2 (one
very new one is still pending), but lesstif1 is a mess. Patches do not apply to
this version, one security patch is several hundred lines which need to be
applied manually into a totally different source code. That's we dropped
lesstif1 from the seeds (germinate has still not been updated, can somebody
please do this?).

So only fixing lesstif1 in Warty is still outstanding. Martin Schulze told me
that a patch was being worked on, but it will take a while. However, nothing
actually uses lesstif1 in Warty (it just went in by a seed "accident"), so it's
not that urgent.

Debian Package is still unfixed, fixed lesstif2 for Hoary now:

 lesstif1-1 (1:0.93.94-11ubuntu3) hoary; urgency=low
 .
   * SECURITY UDPATE: Fix multiple Xpm vulnerabilities.
   * lib/Xm-2.1/Xpm.c: Split into several files (as upstream did for easier
     patching), applied fixes pulled from new upstream version.
     References:
     - CAN-2004-0914
     - Ubuntu #6273
     - Debian #294099
   * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
     freedesktop.org to avoid integer overflows.
     References:
     - CAN-2005-0605
     - https://bugs.freedesktop.org/show_bug.cgi?id=1920
     - https://bugzilla.ubuntulinux.org/show_bug.cgi?id=721
   * lib/Xm/LTXpm.c: Backported CAN-2005-0605 patch to old lesstif1.
   * Added CAN numbers to changelog of 1:0.93.94-4ubuntu1.

This leaves the hard and useless, but required fix of lesstif1 for Warty.

Message-ID: <email address hidden>
Date: Wed, 30 Mar 2005 20:51:31 -1000
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: nmu uploaded to delayed queue

--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I've uploaded the beforementioned NMU of lesstif that includes splitting
up all the files to the 4 day delayed queue on gluck.=20

--=20
see shy jo

--ibTvN161/egqYuK8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCS53yd8HHehbQuO8RAoCJAKDPMy3nW6blnj9vCYNs/pn1ohOWDgCeNVZF
hrhdl3B/sC2ZaPzRyC5gg5Q=
=wR/S
-----END PGP SIGNATURE-----

--ibTvN161/egqYuK8--

> This leaves the hard and useless, but required fix of lesstif1 for Warty.

This was finally fixed as well in USN-83-2.

Message-ID: <email address hidden>
Date: Fri, 6 May 2005 22:14:41 +0300
From: Kimmo Jukarainen <email address hidden>
To: <email address hidden>
Subject: backported fix for lesstif1

I have made a backport of CAN-2004-0914 and CAN-2005-0605 fixes for
lesstif1 available at

   http://www.inside.org/~kimju/src/lesstif/

It compiles, but is currently untested. Please review and/or test
before using.

Please feel free to send any comments about this patch to me.

-kimju

Message-ID: <email address hidden>
Date: Tue, 10 May 2005 10:44:42 +0200
From: Matej Vela <email address hidden>
To: Kimmo Jukarainen <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: backported fix for lesstif1

tag 294099 patch
thanks

On Fri, May 06, 2005 at 10:14:41PM +0300, Kimmo Jukarainen wrote:
> I have made a backport of CAN-2004-0914 and CAN-2005-0605 fixes for
> lesstif1 available at
>
> http://www.inside.org/~kimju/src/lesstif/
>
> It compiles, but is currently untested. Please review and/or test
> before using.
>
> Please feel free to send any comments about this patch to me.

Nice work!

I tried comparing the diffs side by side, but found it too mind-numbing, so
I went and applied the original patches independently on the premise that
we're unlikely to both make a mistake in the same place.

The result of diffing the diffs (and fixing my own numerous screwups :-) is
at <http://people.debian.org/~vela/>. The changes are as follows:

 * Re-added various comments and extraneous whitespace introduced by the
   original patches, to provide context for future backports.
 * Removed duplicate `#include <sys/types.h>'.
 * _LtxpmHashTableInit: Fixed typo in LessTif's port (s/+=/>=/).
 * _LtxpmParseValues: A part of the CAN-2004-0687-0688 patch wasn't
   applied (s/BUFSIZ/& + 1/).
 * OpenReadFile: Removed two leftover lines.

If you're okay with the above, I can do an NMU.

Thanks!

Matej

Message-Id: <email address hidden>
Date: Tue, 10 May 2005 19:02:13 -0400
From: Matej Vela <email address hidden>
To: <email address hidden>
Cc: Matej Vela <email address hidden>, Sam Hocevar (Debian packages) <email address hidden>
Subject: Fixed in NMU of lesstif1-1 1:0.93.94-11.3

tag 279402 + fixed
tag 294099 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 11 May 2005 00:29:04 +0200
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.3
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Matej Vela <email address hidden>
Description:
 lesstif-bin - user binaries for LessTif
 lesstif-dev - development library and header files for LessTif 1.2
 lesstif-doc - documentation for LessTif
 lesstif1 - OSF/Motif 1.2 implementation released under LGPL
 lesstif2 - OSF/Motif 2.1 implementation released under LGPL
 lesstif2-dev - development library and header files for LessTif 2.1
Closes: 279402 294099
Changes:
 lesstif1-1 (1:0.93.94-11.3) unstable; urgency=high
 .
   * NMU.
   * lib/Xm/LTXpm.c: Backport previous security fixes to lesstif1
     (CAN-2004-0914, CAN-2005-0605). Thanks to Kimmo Jukarainen for
     doing the bulk of the work! Closes: #294099.
   * lib/Xm-2.1/RCUtils.c: Apply upstream fix for label positioning in
     menus. Closes: #279402.
Files:
 6210c8ce8e0b6a6415cbf3a750fb48a2 855 libs optional lesstif1-1_0.93.94-11.3.dsc
 4f8429f173d59795ac8d830a1f01d70c 120617 libs optional lesstif1-1_0.93.94-11.3.diff.gz
 6432570990566749fe4dc09b3cb6da1c 342890 doc optional lesstif-doc_0.93.94-11.3_all.deb
 0c9fb81666321f961bef4c3dd89102d2 695244 libs optional lesstif2_0.93.94-11.3_i386.deb
 45b4daa19630d426c3d66598224ecdad 617260 libs optional lesstif1_0.93.94-11.3_i386.deb
 7704c756a2c1750f28899929eca0a2e2 964850 libdevel optional lesstif2-dev_0.93.94-11.3_i386.deb
 f57b9b55e231768e897527d5a1b0616b 830884 libdevel optional lesstif-dev_0.93.94-11.3_i386.deb
 036509fe91e298af84f43996a921a204 164556 x11 optional lesstif-bin_0.93.94-11.3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCgTeCxBYivKllgY8RAtaTAKCD9IOW7xH0UBEd2WLuF3c/mm+zVgCfWEfb
tULjGfHwgLXmn4/E860lhhw=
=Gr1A
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Fri, 11 Nov 2005 11:17:22 -0800
From: Sam Hocevar (Debian packages) <email address hidden>
To: <email address hidden>
Subject: Bug#294099: fixed in lesstif1-1 1:0.93.94-12

Source: lesstif1-1
Source-Version: 1:0.93.94-12

We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:

lesstif-dev_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif-dev_0.93.94-12_i386.deb
lesstif1-1_0.93.94-12.diff.gz
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.diff.gz
lesstif1-1_0.93.94-12.dsc
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.dsc
lesstif1_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif1_0.93.94-12_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <email address hidden> (supplier of updated lesstif1-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 11 Nov 2005 16:07:34 +0100
Source: lesstif1-1
Binary: lesstif-dev lesstif1
Architecture: source i386
Version: 1:0.93.94-12
Distribution: unstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Sam Hocevar (Debian packages) <email address hidden>
Description:
 lesstif-dev - development library and header files for LessTif 1.2
 lesstif1 - OSF/Motif 1.2 implementation released under LGPL
Closes: 279402 287187 294099 298183 299236 335132
Changes:
 lesstif1-1 (1:0.93.94-12) unstable; urgency=low
 .
   * Acknowledge previous NMUs. Thanks a million to Joey Hess and Matej Vela
     for their work (Closes: #294099, #298183, #299236, #279402, #287187).
   * Upstream dropped support for lesstif1. This package will generate lesstif1
     binaries only. When all Debian packages have been migrated to lesstif2 it
     will be discontinued.
   * debian/control:
     + Set policy to 3.6.2.1.
     + Build-depend on debhelper >= 4.0.
     + No longer build-depend on autoconf, automake and libtool
       (Closes: #335132).
   * Rebootstrapped "." and "test".
Files:
 948f4b89b5889b4a3f6c6eb0a39b847d 760 libs optional lesstif1-1_0.93.94-12.dsc
 f3d89e0f89995ccbc64bf51ea8a827d4 361215 libs optional lesstif1-1_0.93.94-12.diff.gz
 f4e01a69dd32775258ff71d8b362183c 603924 libs optional lesstif1_0.93.94-12_i386.deb
 8ed2ce8f8352e0a8850cf5f55da4308c 812750 libdevel optional lesstif-dev_0.93.94-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDdNsEfPP1rylJn2ERAjqgAJ9DKhih+eE764cXKcH6EdUZ1pz0ugCfRq3D
KWciC3nZj8HLUCq0JEcyLIk=
=7Czj
-----END PGP SIGNATURE-----