Debian
lesstif1-1 package

Bug #13557
Comment #4

Comment 4 for bug 13557

Revision history for this message

In Debian Bug tracker #298183, Joey Hess (joeyh) wrote on 2005-03-08: improved patch (from ubuntu)

Ubuntu backported a fix for this hole to lesstif1. From their changelog:

  * SECURITY UPDATE: More Xpm vulnerabilities.
  * lib/Xm-2.1/Xpmcreate.c, lib/Xm-2.1/Xpmscan.c: Applied patch from
    freedesktop.org to avoid integer overflows.
  * lib/Xm/LTXpm.c: Backported patch to old lesstif1.
  * References:
    CAN-2005-0605
    https://bugs.freedesktop.org/show_bug.cgi?id=1920
    https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7210

I'm not going to try to islate the patch from their diff, as previous changes
in their diff make that difficult:

  * SECURITY UDPATE: Fix multiple Xpm vulnerabilities.
  * lib/Xm-2.1/Xpm.c: Split into several files (as upstream did for easier
    patching), applied fixes pulled from new upstream version.
    References:
    - CAN-2004-0914
    - Ubuntu #6273
    - Debian #294099
  * Added CAN numbers to previous changelog.

* SECURITY: apply Xpm security fixes. (Closes: #1821)
* CAN-2004-0687, CAN-2004-0688

Their diff is here:

http://security.ubuntu.com/ubuntu/pool/main/l/lesstif1-1/lesstif1-1_0.93.94-4ubuntu1.3.diff.gz

--
see shy jo

Debianlesstif1-1 package

Comment 4 for bug 13557

Debian
lesstif1-1 package