multiple security holes in XPM code (CAN-2004-0914)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lesstif1-1 (Debian) |
Fix Released
|
Unknown
|
|||
lesstif1-1 (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #294099 http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #1 |
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Mon, 7 Feb 2005 15:48:01 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: multiple security holes in XPM code (CAN-2004-0914)
Package: lesstif1-1
Severity: grave
Tags: security
CAN-2004-0914 describes multiple security holes in libxpm:
Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFre=
e86
and other packages, include (1) multiple integer overflows, (2) out-of-bo=
unds
memory accesses, (3) directory traversal, (4) shell metacharacter, (5) en=
dless
loops, and (6) memory leaks, which could allow remote attackers to obtain
sensitive information, cause a denial of service (application crash), or
execute arbitary code via a certain XPM image file. NOTE: it is highly li=
kely
that this candidate will be SPLIT into other candidates in the future, per
CVE's content decisions.
lesstif includes code derived from this library that is apparently also
vulnerable. A new upstream release, 0.94.0, fixes these problems:
http://
--=20
see shy jo
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#3 |
Hi!
Please note that the new upstream only fixes lesstif2, not lesstif1:
This directory contains fixed sources:
http://
However, this doesn't:
http://
However, fixing that is an enormous task. In this directory the Xpm
source is merged into one big C file and function names have been
renamed, so that the huuuuge patch must be applied manually.
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#4 |
Hi again,
Martin Pitt [2005-02-16 11:28 +0100]:
> Hi!
>
> Please note that the new upstream only fixes lesstif2, not lesstif1:
>
> This directory contains fixed sources:
>
> http://
>
> However, this doesn't:
>
> http://
In addition, lesstif1 does not even contain the previous Xpm fix
(CAN-2004-0687 and CAN-2004-0688).
What a mess. :-(
Martin
--
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Wed, 16 Feb 2005 11:28:19 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Subject: Re: multiple security holes in XPM code (CAN-2004-0914)
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Please note that the new upstream only fixes lesstif2, not lesstif1:
This directory contains fixed sources:
http://
However, this doesn't:
http://
However, fixing that is an enormous task. In this directory the Xpm
source is merged into one big C file and function names have been
renamed, so that the huuuuge patch must be applied manually.
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--PEIAKu/WMn1b1Hv9
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCEyBDDec
+zyL7RqOIT1PpuQ
=xK2K
-----END PGP SIGNATURE-----
--PEIAKu/
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Wed, 16 Feb 2005 11:31:11 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: multiple security holes in XPM code (CAN-2004-0914)
--BXVAT5kNtrzKuDFl
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi again,
Martin Pitt [2005-02-16 11:28 +0100]:
> Hi!
>=20
> Please note that the new upstream only fixes lesstif2, not lesstif1:
>=20
> This directory contains fixed sources:
>=20
> http://
>=20
> However, this doesn't:
>=20
> http://
In addition, lesstif1 does not even contain the previous Xpm fix
(CAN-2004-0687 and CAN-2004-0688).
What a mess. :-(
Martin
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--BXVAT5kNtrzKuDFl
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCEyDvDec
0HsmnbNhEPqWuQ9
=LjBS
-----END PGP SIGNATURE-----
--BXVAT5kNtrzKu
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#7 |
Martin Pitt wrote:
> Hi again,
>
> Martin Pitt [2005-02-16 11:28 +0100]:
> > Hi!
> >
> > Please note that the new upstream only fixes lesstif2, not lesstif1:
> >
> > This directory contains fixed sources:
> >
> > http://
> >
> > However, this doesn't:
> >
> > http://
>
> In addition, lesstif1 does not even contain the previous Xpm fix
> (CAN-2004-0687 and CAN-2004-0688).
>
> What a mess. :-(
An update is in the works as far as I know.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Wed, 16 Feb 2005 12:22:04 +0100
From: Martin Schulze <email address hidden>
To: Martin Pitt <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: multiple security holes in XPM code (CAN-2004-0914)
Martin Pitt wrote:
> Hi again,
>
> Martin Pitt [2005-02-16 11:28 +0100]:
> > Hi!
> >
> > Please note that the new upstream only fixes lesstif2, not lesstif1:
> >
> > This directory contains fixed sources:
> >
> > http://
> >
> > However, this doesn't:
> >
> > http://
>
> In addition, lesstif1 does not even contain the previous Xpm fix
> (CAN-2004-0687 and CAN-2004-0688).
>
> What a mess. :-(
An update is in the works as far as I know.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Martin Pitt (pitti) wrote : | #9 |
lesstif2 fixed for Warty in USN-83-1. I wait a bit to sync the Debian fix for Hoary.
Fixing lesstif1 for Warty is still outstanding; providing a patch is a giant
task, and it seems that the Debian maintainer already works on it, so I defer
the update. lesstif1 is not used in Warty/Hoary anyway and is abandoned
upstream, so lesstif-dev (and with it lesstif1) was dropped from the Supported
seed for Hoary.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Matt Zimmerman (mdz) wrote : | #10 |
The sid package has not changed for some time; is the maintainer active? We may
need to fix this independently for Hoary
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Martin Pitt (pitti) wrote : | #11 |
(In reply to comment #6)
> The sid package has not changed for some time; is the maintainer active? We may
> need to fix this independently for Hoary
Please see my comment #5. Most of the bugs are already fixed in lesstif2 (one
very new one is still pending), but lesstif1 is a mess. Patches do not apply to
this version, one security patch is several hundred lines which need to be
applied manually into a totally different source code. That's we dropped
lesstif1 from the seeds (germinate has still not been updated, can somebody
please do this?).
So only fixing lesstif1 in Warty is still outstanding. Martin Schulze told me
that a patch was being worked on, but it will take a while. However, nothing
actually uses lesstif1 in Warty (it just went in by a seed "accident"), so it's
not that urgent.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Martin Pitt (pitti) wrote : | #12 |
Debian Package is still unfixed, fixed lesstif2 for Hoary now:
lesstif1-1 (1:0.93.
.
* SECURITY UDPATE: Fix multiple Xpm vulnerabilities.
* lib/Xm-2.1/Xpm.c: Split into several files (as upstream did for easier
patching), applied fixes pulled from new upstream version.
References:
- CAN-2004-0914
- Ubuntu #6273
- Debian #294099
* lib/Xm-
freedeskto
References:
- CAN-2005-0605
- https:/
- https:/
* lib/Xm/LTXpm.c: Backported CAN-2005-0605 patch to old lesstif1.
* Added CAN numbers to changelog of 1:0.93.94-4ubuntu1.
This leaves the hard and useless, but required fix of lesstif1 for Warty.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#13 |
The attached patch was lifted from ubuntu and fixes CAN-2004-0914 for
lesstif2 by backporting the changes in the new upstream lesstif.
lesstif1 is left unfixed, and AFAIK there's also still no fix for
lesstif1 for CAN-2004-0687 and CAN-2004-0688, so this patch does not
fully close this bug report.
It's huge, since it splits up the xpm source as has been done upstream.
It also includes re-fixes for CAN-2005-0605, which I have already NMUed
the package for, but which need to be updated for the new upstream
version of the xpm source.
Given the level of changes, I'm very relictant to NMU with this, but
will probably do so eventually if I don't hear anything from the lesstif
maintainer.
--
see shy jo
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#14 |
I've uploaded the beforementioned NMU of lesstif that includes splitting
up all the files to the 4 day delayed queue on gluck.
--
see shy jo
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Wed, 30 Mar 2005 20:51:31 -1000
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: nmu uploaded to delayed queue
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-
Content-
I've uploaded the beforementioned NMU of lesstif that includes splitting
up all the files to the 4 day delayed queue on gluck.=20
--=20
see shy jo
--ibTvN161/egqYuK8
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCS53yd8H
hrhdl3B/
=wR/S
-----END PGP SIGNATURE-----
--ibTvN161/
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#16 |
I have made a backport of CAN-2004-0914 and CAN-2005-0605 fixes for
lesstif1 available at
http://
It compiles, but is currently untested. Please review and/or test
before using.
Please feel free to send any comments about this patch to me.
-kimju
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#17 |
tag 294099 patch
thanks
On Fri, May 06, 2005 at 10:14:41PM +0300, Kimmo Jukarainen wrote:
> I have made a backport of CAN-2004-0914 and CAN-2005-0605 fixes for
> lesstif1 available at
>
> http://
>
> It compiles, but is currently untested. Please review and/or test
> before using.
>
> Please feel free to send any comments about this patch to me.
Nice work!
I tried comparing the diffs side by side, but found it too mind-numbing, so
I went and applied the original patches independently on the premise that
we're unlikely to both make a mistake in the same place.
The result of diffing the diffs (and fixing my own numerous screwups :-) is
at <http://
* Re-added various comments and extraneous whitespace introduced by the
original patches, to provide context for future backports.
* Removed duplicate `#include <sys/types.h>'.
* _LtxpmHashTable
* _LtxpmParseValues: A part of the CAN-2004-0687-0688 patch wasn't
applied (s/BUFSIZ/& + 1/).
* OpenReadFile: Removed two leftover lines.
If you're okay with the above, I can do an NMU.
Thanks!
Matej
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#18 |
tag 279402 + fixed
tag 294099 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 11 May 2005 00:29:04 +0200
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.3
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Matej Vela <email address hidden>
Description:
lesstif-bin - user binaries for LessTif
lesstif-dev - development library and header files for LessTif 1.2
lesstif-doc - documentation for LessTif
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
lesstif2 - OSF/Motif 2.1 implementation released under LGPL
lesstif2-dev - development library and header files for LessTif 2.1
Closes: 279402 294099
Changes:
lesstif1-1 (1:0.93.94-11.3) unstable; urgency=high
.
* NMU.
* lib/Xm/LTXpm.c: Backport previous security fixes to lesstif1
(CAN-
doing the bulk of the work! Closes: #294099.
* lib/Xm-
menus. Closes: #279402.
Files:
6210c8ce8e0b6a
4f8429f173d597
64325709905667
0c9fb81666321f
45b4daa19630d4
7704c756a2c175
f57b9b55e23176
036509fe91e298
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCgTeCxBY
tULjGfHwgLXmn4/
=Gr1A
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Martin Pitt (pitti) wrote : | #19 |
> This leaves the hard and useless, but required fix of lesstif1 for Warty.
This was finally fixed as well in USN-83-2.
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Fri, 6 May 2005 22:14:41 +0300
From: Kimmo Jukarainen <email address hidden>
To: <email address hidden>
Subject: backported fix for lesstif1
I have made a backport of CAN-2004-0914 and CAN-2005-0605 fixes for
lesstif1 available at
http://
It compiles, but is currently untested. Please review and/or test
before using.
Please feel free to send any comments about this patch to me.
-kimju
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Tue, 10 May 2005 10:44:42 +0200
From: Matej Vela <email address hidden>
To: Kimmo Jukarainen <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: backported fix for lesstif1
tag 294099 patch
thanks
On Fri, May 06, 2005 at 10:14:41PM +0300, Kimmo Jukarainen wrote:
> I have made a backport of CAN-2004-0914 and CAN-2005-0605 fixes for
> lesstif1 available at
>
> http://
>
> It compiles, but is currently untested. Please review and/or test
> before using.
>
> Please feel free to send any comments about this patch to me.
Nice work!
I tried comparing the diffs side by side, but found it too mind-numbing, so
I went and applied the original patches independently on the premise that
we're unlikely to both make a mistake in the same place.
The result of diffing the diffs (and fixing my own numerous screwups :-) is
at <http://
* Re-added various comments and extraneous whitespace introduced by the
original patches, to provide context for future backports.
* Removed duplicate `#include <sys/types.h>'.
* _LtxpmHashTable
* _LtxpmParseValues: A part of the CAN-2004-0687-0688 patch wasn't
applied (s/BUFSIZ/& + 1/).
* OpenReadFile: Removed two leftover lines.
If you're okay with the above, I can do an NMU.
Thanks!
Matej
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Tue, 10 May 2005 19:02:13 -0400
From: Matej Vela <email address hidden>
To: <email address hidden>
Cc: Matej Vela <email address hidden>, Sam Hocevar (Debian packages) <email address hidden>
Subject: Fixed in NMU of lesstif1-1 1:0.93.94-11.3
tag 279402 + fixed
tag 294099 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 11 May 2005 00:29:04 +0200
Source: lesstif1-1
Binary: lesstif-bin lesstif2 lesstif-dev lesstif2-dev lesstif-doc lesstif1
Architecture: source i386 all
Version: 1:0.93.94-11.3
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Matej Vela <email address hidden>
Description:
lesstif-bin - user binaries for LessTif
lesstif-dev - development library and header files for LessTif 1.2
lesstif-doc - documentation for LessTif
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
lesstif2 - OSF/Motif 2.1 implementation released under LGPL
lesstif2-dev - development library and header files for LessTif 2.1
Closes: 279402 294099
Changes:
lesstif1-1 (1:0.93.94-11.3) unstable; urgency=high
.
* NMU.
* lib/Xm/LTXpm.c: Backport previous security fixes to lesstif1
(CAN-
doing the bulk of the work! Closes: #294099.
* lib/Xm-
menus. Closes: #279402.
Files:
6210c8ce8e0b6a
4f8429f173d597
64325709905667
0c9fb81666321f
45b4daa19630d4
7704c756a2c175
f57b9b55e23176
036509fe91e298
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCgTeCxBY
tULjGfHwgLXmn4/
=Gr1A
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
|
#23 |
Source: lesstif1-1
Source-Version: 1:0.93.94-12
We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:
lesstif-
to pool/main/
lesstif1-
to pool/main/
lesstif1-
to pool/main/
lesstif1_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <email address hidden> (supplier of updated lesstif1-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 11 Nov 2005 16:07:34 +0100
Source: lesstif1-1
Binary: lesstif-dev lesstif1
Architecture: source i386
Version: 1:0.93.94-12
Distribution: unstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Sam Hocevar (Debian packages) <email address hidden>
Description:
lesstif-dev - development library and header files for LessTif 1.2
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
Closes: 279402 287187 294099 298183 299236 335132
Changes:
lesstif1-1 (1:0.93.94-12) unstable; urgency=low
.
* Acknowledge previous NMUs. Thanks a million to Joey Hess and Matej Vela
for their work (Closes: #294099, #298183, #299236, #279402, #287187).
* Upstream dropped support for lesstif1. This package will generate lesstif1
binaries only. When all Debian packages have been migrated to lesstif2 it
will be discontinued.
* debian/control:
+ Set policy to 3.6.2.1.
+ Build-depend on debhelper >= 4.0.
+ No longer build-depend on autoconf, automake and libtool
(Closes: #335132).
* Rebootstrapped "." and "test".
Files:
948f4b89b5889b
f3d89e0f89995c
f4e01a69dd3277
8ed2ce8f8352e0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDdNsEfPP
KWciC3nZj8HLUCq
=7Czj
-----END PGP SIGNATURE-----
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Debian Bug Importer (debzilla) wrote : | #24 |
Message-Id: <email address hidden>
Date: Fri, 11 Nov 2005 11:17:22 -0800
From: Sam Hocevar (Debian packages) <email address hidden>
To: <email address hidden>
Subject: Bug#294099: fixed in lesstif1-1 1:0.93.94-12
Source: lesstif1-1
Source-Version: 1:0.93.94-12
We believe that the bug you reported is fixed in the latest version of
lesstif1-1, which is due to be installed in the Debian FTP archive:
lesstif-
to pool/main/
lesstif1-
to pool/main/
lesstif1-
to pool/main/
lesstif1_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <email address hidden> (supplier of updated lesstif1-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 11 Nov 2005 16:07:34 +0100
Source: lesstif1-1
Binary: lesstif-dev lesstif1
Architecture: source i386
Version: 1:0.93.94-12
Distribution: unstable
Urgency: low
Maintainer: Sam Hocevar (Debian packages) <email address hidden>
Changed-By: Sam Hocevar (Debian packages) <email address hidden>
Description:
lesstif-dev - development library and header files for LessTif 1.2
lesstif1 - OSF/Motif 1.2 implementation released under LGPL
Closes: 279402 287187 294099 298183 299236 335132
Changes:
lesstif1-1 (1:0.93.94-12) unstable; urgency=low
.
* Acknowledge previous NMUs. Thanks a million to Joey Hess and Matej Vela
for their work (Closes: #294099, #298183, #299236, #279402, #287187).
* Upstream dropped support for lesstif1. This package will generate lesstif1
binaries only. When all Debian packages have been migrated to lesstif2 it
will be discontinued.
* debian/control:
+ Set policy to 3.6.2.1.
+ Build-depend on debhelper >= 4.0.
+ No longer build-depend on autoconf, automake and libtool
(Closes: #335132).
* Rebootstrapped "." and "test".
Files:
948f4b89b5889b
f3d89e0f89995c
f4e01a69dd3277
8ed2ce8f8352e0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDdNsEfPP
KWciC3nZj8HLUCq
=7Czj
-----END PGP SIGNATURE-----
Automatically imported from Debian bug report #294099 http:// bugs.debian. org/294099