lesstif1-1: Further unfixed XPM buffer overflows (CAN-2005-0605)

Automatically imported from Debian bug report #298183 http://bugs.debian.org/298183

Message-Id: <email address hidden>
Date: Sat, 05 Mar 2005 15:34:54 +0100
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: lesstif1-1: Further unfixed XPM buffer overflows (CAN-2005-0605)

--===============2114963271==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: lesstif1-1
Severity: grave
Tags: security, patch
Justification: user security hole

Quoting from a recent Gentoo security advisory:
> Chris Gilbert discovered potentially exploitable buffer overflow cases
> in libXpm that weren't fixed in previous libXpm security advisories.

This has been assigned CAN-2005-0605, Woody should be affected as
well.

The attached patch has been taken from Gentoo bugtracking, as the
lesstif CVS doesn't have a commit yet. Judging from the source I assume
that this fixes only lesstif2, but not lesstif1, am I correct?

Cheers,
        Moritz

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

--===============2114963271==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="lesstif-CAN-2005-0605.patch"

--- lesstif-0.94.0/lib/Xm-2.1/Xpmscan.c.orig 2005-03-02 17:00:16.415070960 +0100
+++ lesstif-0.94.0/lib/Xm-2.1/Xpmscan.c 2005-03-02 17:01:38.949709879 +0100
@@ -672,8 +672,8 @@
     char *dst;
     unsigned int *iptr;
     char *data;
- unsigned int x, y, i;
- int bits, depth, ibu, ibpp, offset;
+ unsigned int x, y;
+ int bits, depth, ibu, ibpp, offset, i;
     unsigned long lbt;
     Pixel pixel, px;

@@ -684,6 +684,9 @@
     ibpp = image->bits_per_pixel;
     offset = image->xoffset;

+ if (image->bitmap_unit < 0)
+ return (XpmNoMemory);
+
     if ((image->bits_per_pixel | image->depth) == 1) {
  ibu = image->bitmap_unit;
  for (y = 0; y < height; y++)
--- lesstif-0.94.0/lib/Xm-2.1/Xpmcreate.c.orig 2005-03-02 17:02:00.626412844 +0100
+++ lesstif-0.94.0/lib/Xm-2.1/Xpmcreate.c 2005-03-02 17:02:35.183562480 +0100
@@ -1265,10 +1265,10 @@
     register char *src;
     register char *dst;
     register unsigned int *iptr;
- register unsigned int x, y, i;
+ register unsigned int x, y;
     register char *data;
     Pixel pixel, px;
- int nbytes, depth, ibu, ibpp;
+ int nbytes, depth, ibu, ibpp, i;

     data = image->data;
     iptr = pixelindex;

--===============2114963271==--

Fixed Warty in USN-92-1:
 lesstif1-1 (1:0.93.94-4ubuntu1.2) warty-security; urgency=low
 .
   * SECURITY UPDATE: More Xpm vulnerabilities.
   * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
     freedesktop.org to avoid integer overflows.
   * lib/Xm/LTXpm.c: Backported patch to old lesstif1.
   * References:
     CAN-2005-0605
     https://bugs.freedesktop.org/show_bug.cgi?id=1920
     https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7210

Fixed Hoary in
 lesstif1-1 (1:0.93.94-11ubuntu3) hoary; urgency=low
 .
   * SECURITY UDPATE: Fix multiple Xpm vulnerabilities.
   * lib/Xm-2.1/Xpm.c: Split into several files (as upstream did for easier
     patching), applied fixes pulled from new upstream version.
     References:
     - CAN-2004-0914
     - Ubuntu #6273
     - Debian #294099
   * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
     freedesktop.org to avoid integer overflows.
     References:
     - CAN-2005-0605
     - https://bugs.freedesktop.org/show_bug.cgi?id=1920
     - https://bugzilla.ubuntulinux.org/show_bug.cgi?id=721
   * lib/Xm/LTXpm.c: Backported CAN-2005-0605 patch to old lesstif1.
   * Added CAN numbers to changelog of 1:0.93.94-4ubuntu1.

Message-ID: <email address hidden>
Date: Tue, 8 Mar 2005 17:21:02 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: improved patch (from ubuntu)

--FL5UXtIhxfXey3p5
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Ubuntu backported a fix for this hole to lesstif1. From their changelog:

  * SECURITY UPDATE: More Xpm vulnerabilities.
  * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
    freedesktop.org to avoid integer overflows.
  * lib/Xm/LTXpm.c: Backported patch to old lesstif1.
  * References:
    CAN-2005-0605
    https://bugs.freedesktop.org/show_bug.cgi?id=3D1920
    https://bugzilla.ubuntulinux.org/show_bug.cgi?id=3D7210

I'm not going to try to islate the patch from their diff, as previous chang=
es
in their diff make that difficult:

  * SECURITY UDPATE: Fix multiple Xpm vulnerabilities.
  * lib/Xm-2.1/Xpm.c: Split into several files (as upstream did for easier
    patching), applied fixes pulled from new upstream version.
    References:
    - CAN-2004-0914
    - Ubuntu #6273
    - Debian #294099
  * Added CAN numbers to previous changelog.

  * SECURITY: apply Xpm security fixes. (Closes: #1821)
  * CAN-2004-0687, CAN-2004-0688

Their diff is here:

http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94=
-4ubuntu1.3.diff.gz

--=20
see shy jo

--FL5UXtIhxfXey3p5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCLiVKd8HHehbQuO8RArL+AJ4/4BbGfBKmAy2Zf/nZX5pYA3OUOQCfUVX1
RwK5+j8DcSe8JNnT9BWBqLw=
=bA+y
-----END PGP SIGNATURE-----

--FL5UXtIhxfXey3p5--

Message-ID: <email address hidden>
Date: Wed, 9 Mar 2005 08:22:55 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: lesstif1-1: Further unfixed XPM buffer overflows (CAN-2005-0605)

--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

> Ubuntu backported a fix for this hole to lesstif1. From their changelog:
>=20
> * SECURITY UPDATE: More Xpm vulnerabilities.
> * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
> freedesktop.org to avoid integer overflows.
> * lib/Xm/LTXpm.c: Backported patch to old lesstif1.
> * References:
> CAN-2005-0605
> https://bugs.freedesktop.org/show_bug.cgi?id=3D3D1920
> https://bugzilla.ubuntulinux.org/show_bug.cgi?id=3D3D7210

The change for lesstif1 was rather trivial since the variables
are declared correctly already. So the patch for the old lesstif1
reduces to

--- lesstif1-1-0.93.94.orig/lib/Xm/LTXpm.c
+++ lesstif1-1-0.93.94/lib/Xm/LTXpm.c
@@ -6305,6 +6305,9 @@
     ibpp =3D image->bits_per_pixel;
     offset =3D image->xoffset;

+ if (image->bitmap_unit < 0)
+ return (_LtXpmNoMemory);
+
     if ((image->bits_per_pixel | image->depth) =3D=3D 1) {
        ibu =3D image->bitmap_unit;
        for (y =3D 0; y < height; y++)

Regards,

Martin

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian GNU/Linux Developer http://www.debian.org

--r5Pyd7+fXNt84Ff3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCLqRODecnbV4Fd/IRApGRAJwIhk7w1HpTT1vnyoJRZlINi5djWQCgvU3M
QFq0i9WGLinWoisG16867Gs=
=qDPp
-----END PGP SIGNATURE-----

--r5Pyd7+fXNt84Ff3--

Message-ID: <email address hidden>
Date: Thu, 10 Mar 2005 16:54:19 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: NMU diff

--+pHx0qQiF2pBVqBT
Content-Type: multipart/mixed; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

It turns out that the older version of lesstif2 we have also had the
variables defined as signed ints, so the patch to fix CAN-2005-0605 in
lesstif2 is shorter than the fixes needed for newer versions of the
library. I combined this fix with the fix for lesstif1 that Martin Pitt
was kind enough to send and the result is the attached NMU diff.

Note that I haven't NMUed it yet, I'm still looking at the other open
security holes.

--=20
see shy jo

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="lesstif-CAN-2005-0605.diff"
Content-Transfer-Encoding: quoted-printable

diff -ur old/lesstif1-1-0.93.94/debian/changelog lesstif1-1-0.93.94/debian/=
changelog
--- old/lesstif1-1-0.93.94/debian/changelog 2005-03-10 16:49:01.000000000 -=
0500
+++ lesstif1-1-0.93.94/debian/changelog 2005-03-10 16:48:31.000000000 -0500
@@ -1,3 +1,12 @@
+lesstif1-1 (1:0.93.94-11.1) unstable; urgency=3DHIGH
+
+ * NMU
+ * Apply fix for newest libXpm buffer overflows in lesstif1, involving a
+ negative bitmap_unit value. Fixed both lesstif1 and lesstif2.
+ Closes: #298939 (CAN-2005-0605)
+
+ -- Joey Hess <email address hidden> Thu, 10 Mar 2005 16:34:21 -0500
+
 lesstif1-1 (1:0.93.94-11) unstable; urgency=3Dlow
=20
   * Mention CAN-2004-0688 in the 1:0.93.94-9 changelog.
diff -ur old/lesstif1-1-0.93.94/lib/Xm/LTXpm.c lesstif1-1-0.93.94/lib/Xm/LT=
Xpm.c
--- old/lesstif1-1-0.93.94/lib/Xm/LTXpm.c 2005-03-10 16:49:00.000000000 -05=
00
+++ lesstif1-1-0.93.94/lib/Xm/LTXpm.c 2005-03-10 16:36:47.000000000 -0500
@@ -6395,6 +6395,9 @@
     ibpp =3D image->bits_per_pixel;
     offset =3D image->xoffset;
=20
+ if (image->bitmap_unit < 0)
+ return (_LtXpmNoMemory);
+ =20
     if ((image->bits_per_pixel | image->depth) =3D=3D 1) {
  ibu =3D image->bitmap_unit;
  for (y =3D 0; y < height; y++)
diff -ur old/lesstif1-1-0.93.94/lib/Xm-2.1/Xpm.c lesstif1-1-0.93.94/lib/Xm-=
2.1/Xpm.c
--- old/lesstif1-1-0.93.94/lib/Xm-2.1/Xpm.c 2005-03-10 16:49:01.000000000 -=
0500
+++ lesstif1-1-0.93.94/lib/Xm-2.1/Xpm.c 2005-03-10 16:46:14.000000000 -0500
@@ -6373,6 +6373,9 @@
     ibpp =3D image->bits_per_pixel;
     offset =3D image->xoffset;
=20
+ if (image->bitmap_unit < 0)
+ return (XpmNoMemory);
+ =20
     if ((image->bits_per_pixel | image->depth) =3D=3D 1) {
  ibu =3D image->bitmap_unit;
  for (y =3D 0; y < height; y++)

--IJpNTDwzlM2Ie8A6--

--+pHx0qQiF2pBVqBT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCMMIKd8HHehbQuO8RAmGYAKDERGgBIoXyf5ixx8wW+LBwiFFscQCg6Ygb
wR7JxLTFtT0cKXBSgj70JvM=
=PGLI
-----END PGP SIGNATURE-----

--+pHx0qQiF2pBVqBT--

Message-ID: <email address hidden>
Date: Sat, 12 Mar 2005 17:53:36 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: #298939 should not have been marked fixed by lesstif1-1 NMU

--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 298183 fixed
merge 298183 299236
thanks

Branden Robinson wrote:
> clone 298939 -1
> retitle -1 lesstif1-1: copy of libXpm code affected by buffer overflow CA=
N-2005-0605
> reassign -1 lesstif1-1
> # I don't actually know if it's fixed upstream yet in LessTif, but I'm
> # guessing it's not.
> tag -1 - fixed-upstream
> # libxpm4 is not fixed until the security buildds' packages are uploaded.
> tag 298939 - fixed
> thanks
>=20
> Hi Joey,
>=20
> Did you mean to only reference #298939 in your NMU of lesstif1-1? You sa=
id
> "Closes:", which marked as fixed the bug I filed against libxpm4, which is
> not part of lesstif1-1 and is not yet fixed.
>=20
> I am assuming your closing of #298939 is in error (since it's not
> accurate), and cloning a copy of it for CAN-2005-0605's affect of
> lesstif1-1.

Sorry, I meant to refer to bug #298183 which was already open on
lesstif1 for the same vulnerability.

--=20
see shy jo

--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCM3Lvd8HHehbQuO8RAjI5AKDltf47z7A83wCP8iofuSzDXbY8agCfRa7j
Y7oGURkfv29QQqcBaNWBprI=
=GuJw
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--

Message-Id: <email address hidden>
Date: Fri, 11 Nov 2005 11:17:22 -0800
From: Sam Hocevar (Debian packages) <email address hidden>
To: <email address hidden>
Subject: Bug#298183: fixed in lesstif1-1 1:0.93.94-12

Source: lesstif1-1
Source-Version: 1:0.93.94-12

We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:

lesstif-dev_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif-dev_0.93.94-12_i386.deb
lesstif1-1_0.93.94-12.diff.gz
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.diff.gz
lesstif1-1_0.93.94-12.dsc
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.dsc
lesstif1_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif1_0.93.94-12_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <email address hidden> (supplier of updated lesstif1-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 11 Nov 2005 16:07:34 +0100
Source: lesstif1-1
Binary: lesstif-dev lesstif1
Architecture: source i386
Version: 1:0.93.94-12
Distribution: unstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Sam Hocevar (Debian packages) <email address hidden>
Description:
 lesstif-dev - development library and header files for LessTif 1.2
 lesstif1 - OSF/Motif 1.2 implementation released under LGPL
Closes: 279402 287187 294099 298183 299236 335132
Changes:
 lesstif1-1 (1:0.93.94-12) unstable; urgency=low
 .
   * Acknowledge previous NMUs. Thanks a million to Joey Hess and Matej Vela
     for their work (Closes: #294099, #298183, #299236, #279402, #287187).
   * Upstream dropped support for lesstif1. This package will generate lesstif1
     binaries only. When all Debian packages have been migrated to lesstif2 it
     will be discontinued.
   * debian/control:
     + Set policy to 3.6.2.1.
     + Build-depend on debhelper >= 4.0.
     + No longer build-depend on autoconf, automake and libtool
       (Closes: #335132).
   * Rebootstrapped "." and "test".
Files:
 948f4b89b5889b4a3f6c6eb0a39b847d 760 libs optional lesstif1-1_0.93.94-12.dsc
 f3d89e0f89995ccbc64bf51ea8a827d4 361215 libs optional lesstif1-1_0.93.94-12.diff.gz
 f4e01a69dd32775258ff71d8b362183c 603924 libs optional lesstif1_0.93.94-12_i386.deb
 8ed2ce8f8352e0a8850cf5f55da4308c 812750 libdevel optional lesstif-dev_0.93.94-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDdNsEfPP1rylJn2ERAjqgAJ9DKhih+eE764cXKcH6EdUZ1pz0ugCfRq3D
KWciC3nZj8HLUCq0JEcyLIk=
=7Czj
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Fri, 11 Nov 2005 11:17:22 -0800
From: Sam Hocevar (Debian packages) <email address hidden>
To: <email address hidden>
Subject: Bug#299236: fixed in lesstif1-1 1:0.93.94-12

Source: lesstif1-1
Source-Version: 1:0.93.94-12

We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:

lesstif-dev_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif-dev_0.93.94-12_i386.deb
lesstif1-1_0.93.94-12.diff.gz
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.diff.gz
lesstif1-1_0.93.94-12.dsc
  to pool/main/l/lesstif1-1/lesstif1-1_0.93.94-12.dsc
lesstif1_0.93.94-12_i386.deb
  to pool/main/l/lesstif1-1/lesstif1_0.93.94-12_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <email address hidden> (supplier of updated lesstif1-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 11 Nov 2005 16:07:34 +0100
Source: lesstif1-1
Binary: lesstif-dev lesstif1
Architecture: source i386
Version: 1:0.93.94-12
Distribution: unstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Sam Hocevar (Debian packages) <email address hidden>
Description:
 lesstif-dev - development library and header files for LessTif 1.2
 lesstif1 - OSF/Motif 1.2 implementation released under LGPL
Closes: 279402 287187 294099 298183 299236 335132
Changes:
 lesstif1-1 (1:0.93.94-12) unstable; urgency=low
 .
   * Acknowledge previous NMUs. Thanks a million to Joey Hess and Matej Vela
     for their work (Closes: #294099, #298183, #299236, #279402, #287187).
   * Upstream dropped support for lesstif1. This package will generate lesstif1
     binaries only. When all Debian packages have been migrated to lesstif2 it
     will be discontinued.
   * debian/control:
     + Set policy to 3.6.2.1.
     + Build-depend on debhelper >= 4.0.
     + No longer build-depend on autoconf, automake and libtool
       (Closes: #335132).
   * Rebootstrapped "." and "test".
Files:
 948f4b89b5889b4a3f6c6eb0a39b847d 760 libs optional lesstif1-1_0.93.94-12.dsc
 f3d89e0f89995ccbc64bf51ea8a827d4 361215 libs optional lesstif1-1_0.93.94-12.diff.gz
 f4e01a69dd32775258ff71d8b362183c 603924 libs optional lesstif1_0.93.94-12_i386.deb
 8ed2ce8f8352e0a8850cf5f55da4308c 812750 libdevel optional lesstif-dev_0.93.94-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDdNsEfPP1rylJn2ERAjqgAJ9DKhih+eE764cXKcH6EdUZ1pz0ugCfRq3D
KWciC3nZj8HLUCq0JEcyLIk=
=7Czj
-----END PGP SIGNATURE-----