--- libxpm-3.5.12.orig/.gitignore +++ libxpm-3.5.12/.gitignore @@ -0,0 +1,78 @@ +# +# X.Org module default exclusion patterns +# The next section if for module specific patterns +# +# Do not edit the following section +# GNU Build System (Autotools) +aclocal.m4 +autom4te.cache/ +autoscan.log +ChangeLog +compile +config.guess +config.h +config.h.in +config.log +config-ml.in +config.py +config.status +config.status.lineno +config.sub +configure +configure.scan +depcomp +.deps/ +INSTALL +install-sh +.libs/ +libtool +libtool.m4 +ltmain.sh +lt~obsolete.m4 +ltoptions.m4 +ltsugar.m4 +ltversion.m4 +Makefile +Makefile.in +mdate-sh +missing +mkinstalldirs +*.pc +py-compile +stamp-h? +symlink-tree +texinfo.tex +ylwrap + +# Do not edit the following section +# Edit Compile Debug Document Distribute +*~ +*.[0-9] +*.[0-9]x +*.bak +*.bin +core +*.dll +*.exe +*-ISO*.bdf +*-JIS*.bdf +*-KOI8*.bdf +*.kld +*.ko +*.ko.cmd +*.lai +*.l[oa] +*.[oa] +*.obj +*.patch +*.so +*.pcf.gz +*.pdb +*.tar.bz2 +*.tar.gz +# +# Add & Override patterns for libXpm +# +# Edit the following section as needed +# For example, !report.pc overrides *.pc. See 'man gitignore' +# --- libxpm-3.5.12.orig/autogen.sh +++ libxpm-3.5.12/autogen.sh @@ -0,0 +1,14 @@ +#! /bin/sh + +srcdir=`dirname $0` +test -z "$srcdir" && srcdir=. + +ORIGDIR=`pwd` +cd $srcdir + +autoreconf -v --install || exit 1 +cd $ORIGDIR || exit $? + +if test -z "$NOCONFIGURE"; then + $srcdir/configure "$@" +fi --- libxpm-3.5.12.orig/cxpm/.gitignore +++ libxpm-3.5.12/cxpm/.gitignore @@ -0,0 +1,3 @@ +# Add & Override for this directory and it's subdirectories +cxpm +cxpm.po --- libxpm-3.5.12.orig/debian/README.source +++ libxpm-3.5.12/debian/README.source @@ -0,0 +1,49 @@ +------------------------------------------------------ +Quick Guide To Patching This Package For The Impatient +------------------------------------------------------ + +1. Make sure you have quilt installed +2. Unpack the package as usual with "dpkg-source -x" +3. Run the "patch" target in debian/rules +4. Create a new patch with "quilt new" (see quilt(1)) +5. Edit all the files you want to include in the patch with "quilt edit" + (see quilt(1)). +6. Write the patch with "quilt refresh" (see quilt(1)) +7. Run the "clean" target in debian/rules + +Alternatively, instead of using quilt directly, you can drop the patch in to +debian/patches and add the name of the patch to debian/patches/series. + +------------------------------------ +Guide To The X Strike Force Packages +------------------------------------ + +The X Strike Force team maintains X packages in git repositories on +git.debian.org in the pkg-xorg subdirectory. Most upstream packages +are actually maintained in git repositories as well, so they often +just need to be pulled into git.debian.org in a "upstream-*" branch. +Otherwise, the upstream sources are manually installed in the Debian +git repository. + +The .orig.tar.gz upstream source file could be generated using this +"upstream-*" branch in the Debian git repository but it is actually +copied from upstream tarballs directly. + +Due to X.org being highly modular, packaging all X.org applications +as their own independent packages would have created too many Debian +packages. For this reason, some X.org applications have been grouped +into larger packages: xutils, xutils-dev, x11-apps, x11-session-utils, +x11-utils, x11-xfs-utils, x11-xkb-utils, x11-xserver-utils. +Most packages, including the X.org server itself and all libraries +and drivers are, however maintained independently. + +The Debian packaging is added by creating the "debian-*" git branch +which contains the aforementioned "upstream-*" branch plus the debian/ +repository files. +When a patch has to be applied to the Debian package, two solutions +are involved: +* If the patch is available in one of the upstream branches, it + may be git'cherry-picked into the Debian repository. In this + case, it appears directly in the .diff.gz. +* Otherwise, the patch is added to debian/patches/ which is managed + with quilt as documented in /usr/share/doc/quilt/README.source. --- libxpm-3.5.12.orig/debian/changelog +++ libxpm-3.5.12/debian/changelog @@ -0,0 +1,280 @@ +libxpm (1:3.5.12-1ubuntu0.20.04.2) focal-security; urgency=medium + + * SECURITY UPDATE: stack exhaustion from infinite recursion in + PutSubImage() in libx11 + - d/p/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch + - d/p/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch + - CVE-2023-43786 + * SECURITY UPDATE: integer overflow in XCreateImage() leading to a heap + overflow in libx11 + - d/p/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch + - d/p/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch + - CVE-2023-43787 + * SECURITY UPDATE: out of bounds read in XpmCreateXpmImageFromBuffer() + - d/p/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch + - CVE-2023-43788 + * SECURITY UPDATE: out of bounds read on XPM with corrupted colormap + - d/p/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch + - CVE-2023-43789 + + -- Marc Deslauriers Mon, 02 Oct 2023 16:12:10 -0400 + +libxpm (1:3.5.12-1ubuntu0.20.04.1) focal-security; urgency=medium + + * SECURITY UPDATE: CPU-consuming loop on width of 0 + - debian/patches/CVE-2022-44617-1.patch: add extra checks to + src/data.c, src/parse.c. + - debian/patches/CVE-2022-44617-2.patch: prevent a double free in the + error code path in src/create.c. + - CVE-2022-44617 + * SECURITY UPDATE: Infinite loop on unclosed comments + - debian/patches/CVE-2022-46285.patch: handle unclosed comments in + src/data.c. + - CVE-2022-46285 + * SECURITY UPDATE: compression commands depend on $PATH + - debian/patches/CVE-2022-4883.patch: don't rely on $PATH to find the + commands in src/RdFToI.c, src/WrFFrI.c. + - CVE-2022-4883 + + -- Marc Deslauriers Mon, 16 Jan 2023 12:56:25 -0500 + +libxpm (1:3.5.12-1) unstable; urgency=medium + + [ Andreas Boll ] + * New upstream release. + * Let uscan verify tarball signatures. + * Improve package description (Closes: #646992). Thanks, Justin B + Rye! + * Switch URLs to https. + * Remove obsolete xsfbs. + * Add placeholder comment into series file. + * Bump debhelper compat to 10. + - Drop build-deps on dh-autoreconf, automake and libtool. + * Stop passing --disable-silent-rules to configure, debhelper does + that for a while. + * Drop no longer needed dpkg-dev versioned build-dependency. + + [ Emilio Pozuelo Monfort ] + * Switch to -dbgsym packages. + + -- Emilio Pozuelo Monfort Thu, 22 Dec 2016 17:17:47 +0100 + +libxpm (1:3.5.11-1) unstable; urgency=medium + + * New upstream release. + * Rewrite debian/rules using dh, bump compat to 9, drop xsfbs. + * Remove Cyril from Uploaders. + * Bump x11proto-core-dev build-dep per configure.ac. + * Disable silent build rules. + * Override gzip-file-is-not-multi-arch-same-safe for xpm.PS.gz. + + -- Julien Cristau Sun, 13 Jul 2014 12:24:10 +0200 + +libxpm (1:3.5.10-1) unstable; urgency=low + + * Clean up libtool m4 files. + * Revert to shipping the doc as PS instead of PDF, so libxpm-dev can be + Multi-Arch: same. Thanks to Jakub Wilk. + * New upstream release. + * Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}. + + -- Julien Cristau Sat, 21 Apr 2012 11:21:07 +0200 + +libxpm (1:3.5.9-4) unstable; urgency=low + + * Exclude xpmutils from the debug package so it really is multi-arch safe + (closes: #646960). Thanks, Jakub Wilk! + * Don't require fakeroot for debian/rules clean. + * Replace the change from 1:3.5.9-3 with the equivalent fix committed + upstream. + + -- Julien Cristau Mon, 31 Oct 2011 16:41:44 +0100 + +libxpm (1:3.5.9-3) unstable; urgency=low + + * Apply patch from Ubuntu to fix build failure when using ld --no-add- + needed. Closes: #604494. + + -- Steve Langasek Fri, 21 Oct 2011 20:21:48 -0700 + +libxpm (1:3.5.9-2) unstable; urgency=low + + [ Cyril Brulebois ] + * Build xpm.pdf from xpm.PS.gz, and use debian/libxpm-dev.docs to + install it. That's the only available documentation we've got, so + let's ship it (Closes: #466081). + * Add ghostscript build-dep, for ps2pdf. + * Fix typo in long descriptions: specificied → specified. + + [ Julien Cristau ] + * Remove David from Uploaders. + * Drop Pre-Depends on x11-common, only needed for upgrades from the + monolith. + * Drop Replaces on xbase-clients 6.8.x. + + [ Steve Langasek ] + * Build for multiarch. + + -- Steve Langasek Fri, 21 Oct 2011 15:24:28 -0700 + +libxpm (1:3.5.9-1) unstable; urgency=low + + [ Julien Cristau ] + * Remove myself from Uploaders. + * Rename the build directory to not include DEB_BUILD_GNU_TYPE for no + good reason. Thanks, Colin Watson! + + [ Cyril Brulebois ] + * New upstrem release. + * Bump xutils-dev build-dep for new macros. + * Update debian/copyright from upstream COPYING. + * Drop debian/libxpm-dev.docs, xpm.PS is gone. + * Switch from --list-missing to --fail-missing for additional safety. + * Exclude libXpm.la from dh_install accordingly. + * Add myself to Uploaders. + + -- Cyril Brulebois Fri, 19 Nov 2010 10:59:03 +0100 + +libxpm (1:3.5.8-1) unstable; urgency=low + + [ Timo Aaltonen ] + * New upstream release. + * Bump the build-dep on xutils-dev (>= 1:7.5~1). + + [ Julien Cristau ] + * Bump Standards-Version to 3.8.3. + + -- Julien Cristau Wed, 25 Nov 2009 19:31:08 +0100 + +libxpm (1:3.5.7-2) unstable; urgency=low + + [ Julien Cristau ] + * Drop -1 debian revisions from build-deps. + * Bump Standards-Version to 3.7.3. + * Drop the XS- prefix from Vcs-* control fields. + * libxpm4{,-dbg} don't need to depend on x11-common. + * Add xpm.PS.gz to the -dev package (closes: #525551). + * Don't handle nostrip in DEB_BUILD_OPTIONS explicitly, dh_strip does the + right thing. + * Use filter instead of findstring to parse DEB_BUILD_OPTIONS in + debian/rules. + * Add README.source, bump Standards-Version to 3.8.1. + * Run autoreconf at build time. + * Allow parallel builds. + * Move -dbg package to new debug section. + * Don't pass -l and -L options to dh_shlibdeps, it seems to be useless + nowadays. + + [ Brice Goglin ] + * Add a link to www.X.org and a reference to the upstream module + in the long description. + + -- Julien Cristau Wed, 10 Jun 2009 14:59:30 +0200 + +libxpm (1:3.5.7-1) unstable; urgency=low + + * New upstream release. + * Add the upstream URL to debian/copyright. + * Use binary:Version instead of the deprecated Source-Version. + * Add myself to uploaders, and remove Branden with his permission. + + -- Julien Cristau Sat, 25 Aug 2007 10:50:50 +0200 + +libxpm (1:3.5.6-3) unstable; urgency=low + + * Put binary packages in the correct sections. + * Run dh_shlibdeps with -L libxpm4 -l debian/libxpm4/usr/lib so xpmutils + gets a dependency on libxpm4. Fixes bug noticed by checklib. + + -- Julien Cristau Mon, 21 May 2007 17:35:32 +0200 + +libxpm (1:3.5.6-2) unstable; urgency=low + + * Upload to unstable. + * Add XS-Vcs-Browser. + * Remove Fabio from Uploaders, with his permission. + + -- Julien Cristau Wed, 11 Apr 2007 16:31:32 +0200 + +libxpm (1:3.5.6-1) experimental; urgency=low + + * New upstream release. + * Add XS-Vcs-Git header to debian/control. + * Drop obsolete CVS information from the long descriptions. + * Install the upstream changelog. + + -- Julien Cristau Fri, 16 Feb 2007 16:24:44 +0100 + +libxpm (1:3.5.5-2) unstable; urgency=low + + [ Andres Salomon ] + * Test for obj-$(DEB_BUILD_GNU_TYPE) before creating it during build; + idempotency fix. + + [ Drew Parsons ] + * dbg package has priority extra. + + -- David Nusinow Wed, 30 Aug 2006 17:12:38 -0400 + +libxpm (1:3.5.5-1) experimental; urgency=low + + * New upstream release + * Run dh_install with --list-missing + * Bump debhelper compat to 5 + * Remove extra x11-common dep in the -dev package + * Version x11-common pre-dep in the -dev package to use 1:7.0.0 to match the + rest of Debian and shut lintian up + * Add the sxpm and cxpm manpages to xpm-utils + + -- David Nusinow Mon, 3 Jul 2006 19:23:49 -0400 + +libxpm (1:3.5.4.2-3) unstable; urgency=low + + * Reorder makeshlib command in rules file so that ldconfig is run + properly. Thanks Drew Parsons and Steve Langasek. + + -- David Nusinow Tue, 18 Apr 2006 21:50:00 -0400 + +libxpm (1:3.5.4.2-2) unstable; urgency=low + + * Upload to unstable + + -- David Nusinow Thu, 23 Mar 2006 22:45:13 -0500 + +libxpm (1:3.5.4.2-1) experimental; urgency=low + + * First upload to Debian + + -- David Nusinow Thu, 29 Dec 2005 20:54:06 -0500 + +libxpm (1:3.5.2-5) breezy; urgency=low + + * Add a Build-Depends on libxext-dev. For my next stunning move, I'll + actually pay attention to what I'm doing. + + -- Daniel Stone Sat, 23 Jul 2005 01:33:31 +1000 + +libxpm (1:3.5.2-4) breezy; urgency=low + + * Bump Build-Depends on libx11-dev, libxt-dev, libxext-dev and + x11proto-core-dev to avoid _XOPEN_SOURCE. + + -- Daniel Stone Sat, 23 Jul 2005 00:24:13 +1000 + +libxpm (1:3.5.2-3) breezy; urgency=low + + * Fix cat-walks-across-keyboard attack in debian/control. + + -- Daniel Stone Wed, 20 Jul 2005 21:18:57 +1000 + +libxpm (1:3.5.2-2) breezy; urgency=low + + * blah blah xpmutils Replaces: xbase-clients (<< 6.8.2-38) blah blah + + -- Daniel Stone Wed, 20 Jul 2005 18:45:27 +1000 + +libxpm (1:3.5.2-1) breezy; urgency=low + + * First libxpm release. + + -- Daniel Stone Mon, 16 May 2005 22:10:17 +1000 --- libxpm-3.5.12.orig/debian/compat +++ libxpm-3.5.12/debian/compat @@ -0,0 +1 @@ +10 --- libxpm-3.5.12.orig/debian/control +++ libxpm-3.5.12/debian/control @@ -0,0 +1,65 @@ +Source: libxpm +Section: x11 +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian X Strike Force +Build-Depends: + debhelper (>= 10), + quilt, + xutils-dev (>= 1:7.5+4), + libx11-dev (>= 1:0.99.2), + libxt-dev (>= 1:0.99.1-5), + x11proto-core-dev (>= 7.0.17), + libxext-dev (>= 1:0.99.1), + pkg-config, +Standards-Version: 3.9.8 +Homepage: https://www.x.org +Vcs-Git: https://anonscm.debian.org/git/pkg-xorg/lib/libxpm.git +Vcs-Browser: https://anonscm.debian.org/git/pkg-xorg/lib/libxpm.git + +Package: libxpm4 +Section: libs +Architecture: any +Multi-Arch: same +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${shlibs:Depends}, + ${misc:Depends}, +Description: X11 pixmap library + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package provides runtime support for XPM format. + +Package: libxpm-dev +Section: libdevel +Architecture: any +Multi-Arch: same +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + libxpm4 (= ${binary:Version}), + libx11-dev, + x11proto-core-dev, +Description: X11 pixmap library (development headers) + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package contains the development headers for the libxpm4 library. + Non-developers likely have little use for this package. + +Package: xpmutils +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${shlibs:Depends}, + ${misc:Depends}, +Description: X11 pixmap utilities + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package provides two tools: cxpm (to check the integrity of an + XPM file) and sxpm (to view XPM files). --- libxpm-3.5.12.orig/debian/copyright +++ libxpm-3.5.12/debian/copyright @@ -0,0 +1,71 @@ +This package was downloaded from +https://xorg.freedesktop.org/releases/individual/lib/ + +Copyright (C) 1989-95 GROUPE BULL + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +GROUPE BULL BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of GROUPE BULL shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from GROUPE BULL. + +Copyright (C) 1998 Arnaud LE HORS + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Arnaud LE HORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Arnaud LE HORS shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Arnaud LE HORS. + +Copyright (C) 19896 Lorens Younes + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Lorens Younes BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Lorens Younes shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Lorens Younes. --- libxpm-3.5.12.orig/debian/libxpm-dev.docs +++ libxpm-3.5.12/debian/libxpm-dev.docs @@ -0,0 +1 @@ +doc/xpm.PS.gz --- libxpm-3.5.12.orig/debian/libxpm-dev.install +++ libxpm-3.5.12/debian/libxpm-dev.install @@ -0,0 +1,4 @@ +usr/include/X11/* +usr/lib/*/libXpm.a +usr/lib/*/libXpm.so +usr/lib/*/pkgconfig/xpm.pc --- libxpm-3.5.12.orig/debian/libxpm-dev.lintian-overrides +++ libxpm-3.5.12/debian/libxpm-dev.lintian-overrides @@ -0,0 +1,2 @@ +# we don't touch it, so it's the same on all archs +gzip-file-is-not-multi-arch-same-safe usr/share/doc/libxpm-dev/xpm.PS.gz --- libxpm-3.5.12.orig/debian/libxpm4.install +++ libxpm-3.5.12/debian/libxpm4.install @@ -0,0 +1 @@ +usr/lib/*/libXpm.so.4* --- libxpm-3.5.12.orig/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +++ libxpm-3.5.12/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch @@ -0,0 +1,32 @@ +From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 17:50:39 -0700 +Subject: [PATCH libXpm 1/7] Fix CVE-2023-43788: Out of bounds read in + XpmCreateXpmImageFromBuffer + +When the test case for CVE-2022-46285 was run with the Address Sanitizer +enabled, it found an out-of-bounds read in ParseComment() when reading +from a memory buffer instead of a file, as it continued to look for the +closing comment marker past the end of the buffer. + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data.c b/src/data.c +index 7524e65..0b0f1f3 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -108,7 +108,7 @@ ParseComment(xpmData *data) + n++; + s2++; + } while (c == *s2 && *s2 != '\0' && c); +- if (*s2 == '\0') { ++ if (*s2 == '\0' || c == '\0') { + /* this is the end of the comment */ + notend = 0; + data->cptr--; +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +++ libxpm-3.5.12/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch @@ -0,0 +1,36 @@ +From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:30:34 -0700 +Subject: [PATCH libXpm 3/7] Fix CVE-2023-43789: Out of bounds read on XPM with + corrupted colormap + +Found with clang's libfuzzer + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/data.c b/src/data.c +index 0b0f1f3..6e87455 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -259,13 +259,13 @@ xpmNextWord( + int c; + + if (!data->type || data->type == XPMBUFFER) { +- while (isspace(c = *data->cptr) && c != data->Eos) ++ while ((c = *data->cptr) && isspace(c) && (c != data->Eos)) + data->cptr++; + do { + c = *data->cptr++; + *buf++ = c; + n++; +- } while (!isspace(c) && c != data->Eos && n < buflen); ++ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen)); + n--; + data->cptr--; + } else { +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +++ libxpm-3.5.12/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch @@ -0,0 +1,322 @@ +From edb97396620f019f8d2e707ad3fbaf6bbbd5ed36 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Tue, 5 Sep 2023 17:01:58 -0700 +Subject: [PATCH libXpm 4/7] test: Add test case for CVE-2023-43786 (stack + exhaustion in PutImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/README.md | 13 + + .../other/overflow-stackexhaustion.xpm | 277 ++++++++++++++++++ + 2 files changed, 290 insertions(+) + create mode 100644 test/pixmaps/other/overflow-stackexhaustion.xpm + +#diff --git a/test/pixmaps/README.md b/test/pixmaps/README.md +#index 4f2cbae..8f20a8b 100644 +#--- a/test/pixmaps/README.md +#+++ b/test/pixmaps/README.md +#@@ -69,3 +69,16 @@ return XpmNoMemory when parsed. +# +# - oversize.xpm - This file specifies more pixels than can be mapped in +# a 64-bit address space that already has programs & libraries mapped in. +#+ +#+other +#+----- +#+ +#+Those under the `other` subdirectory don't fit cleanly in any of the above +#+categories, and may be valid for some uses but not others, and thus can't be +#+easily used in the current test framework, but are still interesting cases. +#+ +#+- overflow-stackexhaustion.xpm - This file was provided by Yair Mizrahi of +#+ the JFrog Vulnerability Research team as a test for CVE-2023-43786. +#+ It is a valid XPM file, but is larger than fits into an X Pixmap, so +#+ should pass with many functions, but fail when used with sxpm or +#+ anything that calls through to xpmCreatePixmapFromImage(). +diff --git a/test/pixmaps/other/overflow-stackexhaustion.xpm b/test/pixmaps/other/overflow-stackexhaustion.xpm +new file mode 100644 +index 0000000..2f7eae3 +--- /dev/null ++++ b/test/pixmaps/other/overflow-stackexhaustion.xpm +@@ -0,0 +1,277 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"000000090000 1 247 1 1 1", ++/* colors */ ++" s background m black c #ffffffffffff", ++". s topShadowColor m white c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++" ++ s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"} s bottomShadowColor m black c #ffffffffffff", ++"; s bottomShadowColor m black c #ffffffffffff", ++". s bottomShadowColor m black c #ffffffffffff", ++/* pixels */ ++" }; +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +++ libxpm-3.5.12/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch @@ -0,0 +1,278 @@ +Backport of: + +From 3446b4dbf970223f16f8ea294b723fc2e86bc4c4 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 6 Sep 2023 17:34:33 -0700 +Subject: [PATCH libXpm 5/7] Avoid CVE-2023-43786: stack exhaustion in + XPutImage() + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X11 pixmap with +dimensions larger than the unsigned 16-bit integers used in the +X11 protocol for the dimensions. + +Reported by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + src/CrPFrBuf.c | 28 +++++++++++++++++++++++----- + src/CrPFrDat.c | 31 +++++++++++++++++++++++-------- + src/CrPFrI.c | 9 ++++++++- + src/RdFToP.c | 28 +++++++++++++++++++++++----- + src/XpmI.h | 2 +- + src/create.c | 28 +++++++++++++++++++++++----- + 6 files changed, 101 insertions(+), 25 deletions(-) + +--- a/src/CrPFrBuf.c ++++ b/src/CrPFrBuf.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrDat.c ++++ b/src/CrPFrDat.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromData( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,19 +63,34 @@ XpmCreatePixmapFromData( + attributes); + + if (ErrorStatus != XpmSuccess) +- return (ErrorStatus); +- +- if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrI.c ++++ b/src/CrPFrI.c +@@ -37,7 +37,7 @@ + #endif + #include "XpmI.h" + +-void ++int + xpmCreatePixmapFromImage( + Display *display, + Drawable d, +@@ -47,6 +47,11 @@ xpmCreatePixmapFromImage( + GC gc; + XGCValues values; + ++ /* X Pixmaps are limited to unsigned 16-bit height/width */ ++ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) { ++ return XpmNoMemory; ++ } ++ + *pixmap_return = XCreatePixmap(display, d, ximage->width, + ximage->height, ximage->depth); + /* set fg and bg in case we have an XYBitmap */ +@@ -59,4 +64,6 @@ xpmCreatePixmapFromImage( + ximage->width, ximage->height); + + XFreeGC(display, gc); ++ ++ return XpmSuccess; + } +--- a/src/RdFToP.c ++++ b/src/RdFToP.c +@@ -46,7 +46,7 @@ XpmReadFileToPixmap( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -62,16 +62,34 @@ XpmReadFileToPixmap( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/XpmI.h ++++ b/src/XpmI.h +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + /* stdio.h doesn't declare popen on a Sequent DYNIX OS */ + #ifdef sequent + extern FILE *popen(); +@@ -188,7 +189,7 @@ FUNC(xpmSetAttributes, void, (XpmAttribu + XpmInfo *info)); + + #if !defined(FOR_MSW) && !defined(AMIGA) +-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d, ++FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d, + XImage *ximage, Pixmap *pixmap_return)); + + FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, +--- a/src/create.c ++++ b/src/create.c +@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage( + &shapeimage : NULL), + attributes); + if (ErrorStatus < 0) +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } --- libxpm-3.5.12.orig/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +++ libxpm-3.5.12/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch @@ -0,0 +1,71 @@ +From ec92147890b7985756d8917c25363777de4599fe Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:55:25 -0700 +Subject: [PATCH libXpm 6/7] test: Add test case for CVE-2023-43787 (integer + overflow in XCreateImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/README.md | 5 ++++ + test/pixmaps/invalid/width-overflow.xpm | 31 +++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + create mode 100644 test/pixmaps/invalid/width-overflow.xpm + +#diff --git a/test/pixmaps/README.md b/test/pixmaps/README.md +#index 8f20a8b..97dd144 100644 +#--- a/test/pixmaps/README.md +#+++ b/test/pixmaps/README.md +#@@ -61,6 +61,11 @@ return XpmFileInvalid when parsed. +# - corrupt-colormap.xpm - This file was generated by the clang libfuzzer, +# and serves as a test for CVE-2023-43789 +# +#+- width-overflow.xpm - This file was provided by Yair Mizrahi of +#+ the JFrog Vulnerability Research team as a test for CVE-2023-43787. +#+ Its width causes an integer overflow when multiplied by a depth of 4 bytes +#+ (32-bits) when using 32-bit ints. +#+ +# no-mem +# ------ +# +diff --git a/test/pixmaps/invalid/width-overflow.xpm b/test/pixmaps/invalid/width-overflow.xpm +new file mode 100644 +index 0000000..114cb7b +--- /dev/null ++++ b/test/pixmaps/invalid/width-overflow.xpm +@@ -0,0 +1,31 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"536871019 1 2 1 1 1", ++/* colors */ ++" c #40a100", ++". c #434241", ++/* pixels */ ++" .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +++ libxpm-3.5.12/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch @@ -0,0 +1,36 @@ +From 3bc3d486bcdb1d95bcb0ebc7d6fe5a18dc4eee95 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:59:07 -0700 +Subject: [PATCH libXpm 7/7] Avoid CVE-2023-43787 (integer overflow in + XCreateImage) + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X Image for +which the width * depth would overflow the signed int used to +store the bytes_per_line value. + +Signed-off-by: Alan Coopersmith +--- + src/create.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/create.c b/src/create.c +index ec562b2..b8c80d2 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -997,6 +997,11 @@ CreateXImage( + *image_return = NULL; + return XpmNoMemory; + } ++ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; ++ return XpmNoMemory; ++ } + /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) { + XDestroyImage(*image_return); +-- +2.39.3 + --- libxpm-3.5.12.orig/debian/patches/CVE-2022-44617-1.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-44617-1.patch @@ -0,0 +1,144 @@ +From 198839ca64dc117b35339f38c83d483ab6b561b6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 7 Jan 2023 12:44:28 -0800 +Subject: [PATCH libXpm 4/5] Fix CVE-2022-44617: Runaway loop with width of 0 + and enormous height + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +image has a width of 0 and a very large height, the ParsePixels() function +will loop over the entire height calling getc() and ungetc() repeatedly, +or in some circumstances, may loop seemingly forever, which may cause a +denial of service to the calling program when given a small crafted XPM +file to parse. + +Closes: #2 + +Reported-by: Martin Ettl +Signed-off-by: Alan Coopersmith +--- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +--- a/src/data.c ++++ b/src/data.c +@@ -191,19 +191,23 @@ xpmNextString(xpmData *data) + register char c; + + /* get to the end of the current string */ +- if (data->Eos) +- while ((c = *data->cptr++) && c != data->Eos); ++ if (data->Eos) { ++ while ((c = *data->cptr++) && c != data->Eos && c != '\0'); ++ ++ if (c == '\0') ++ return XpmFileInvalid; ++ } + + /* + * then get to the beginning of the next string looking for possible + * comment + */ + if (data->Bos) { +- while ((c = *data->cptr++) && c != data->Bos) ++ while ((c = *data->cptr++) && c != data->Bos && c != '\0') + if (data->Bcmt && c == data->Bcmt[0]) + ParseComment(data); + } else if (data->Bcmt) { /* XPM2 natural */ +- while ((c = *data->cptr++) == data->Bcmt[0]) ++ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') + ParseComment(data); + data->cptr--; + } +@@ -212,9 +216,13 @@ xpmNextString(xpmData *data) + FILE *file = data->stream.file; + + /* get to the end of the current string */ +- if (data->Eos) ++ if (data->Eos) { + while ((c = Getc(data, file)) != data->Eos && c != EOF); + ++ if (c == EOF) ++ return XpmFileInvalid; ++ } ++ + /* + * then get to the beginning of the next string looking for possible + * comment +@@ -230,7 +238,7 @@ xpmNextString(xpmData *data) + Ungetc(data, c, file); + } + } +- return 0; ++ return XpmSuccess; + } + + +--- a/src/parse.c ++++ b/src/parse.c +@@ -391,6 +391,13 @@ ParsePixels( + { + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ + unsigned int a, x, y; ++ int ErrorStatus; ++ ++ if ((width == 0) && (height != 0)) ++ return (XpmFileInvalid); ++ ++ if ((height == 0) && (width != 0)) ++ return (XpmFileInvalid); + + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) +@@ -428,7 +435,11 @@ ParsePixels( + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int c = xpmGetC(data); + +@@ -475,7 +486,11 @@ do \ + } + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int cc1 = xpmGetC(data); + if (cc1 > 0 && cc1 < 256) { +@@ -515,7 +530,11 @@ do \ + xpmHashAtom *slot; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +@@ -535,7 +554,11 @@ do \ + } + } else { + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); --- libxpm-3.5.12.orig/debian/patches/CVE-2022-44617-2.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-44617-2.patch @@ -0,0 +1,39 @@ +From 1b01c4424bec256116f8e8283430eb241e3f5d99 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Jan 2023 15:05:39 +1000 +Subject: [PATCH libXpm] Prevent a double free in the error code path + +xpmParseDataAndCreate() calls XDestroyImage() in the error path. +Reproducible with sxpm "zero-width.xpm", that file is in the test/ +directory. + +The same approach is needed in the bytes_per_line == 0 condition though +here it just plugs a memory leak. +--- + src/create.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/create.c b/src/create.c +index 4a85c78..f92ffef 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -994,11 +994,15 @@ CreateXImage( + #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; + } + /* now that bytes_per_line must have been set properly alloc data */ +- if((*image_return)->bytes_per_line == 0 || height == 0) ++ if((*image_return)->bytes_per_line == 0 || height == 0) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; ++ } + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); + +-- +2.39.0 + --- libxpm-3.5.12.orig/debian/patches/CVE-2022-46285.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-46285.patch @@ -0,0 +1,37 @@ +From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH libXpm 2/5] Fix CVE-2022-46285: Infinite loop on unclosed + comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.15.2 + --- libxpm-3.5.12.orig/debian/patches/CVE-2022-4883.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-4883.patch @@ -0,0 +1,87 @@ +Simplified backport of: + +From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on + $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +--- + README.md | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/uncompress", "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/gzip", "-dqc", "r"); + } + else + #endif /* z-files */ +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -336,10 +336,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/compress", NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/gzip", "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif --- libxpm-3.5.12.orig/debian/patches/series +++ libxpm-3.5.12/debian/patches/series @@ -0,0 +1,11 @@ +# placeholder +CVE-2022-44617-1.patch +CVE-2022-44617-2.patch +CVE-2022-46285.patch +CVE-2022-4883.patch +0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch --- libxpm-3.5.12.orig/debian/rules +++ libxpm-3.5.12/debian/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +%: + dh $@ --with quilt --builddirectory=build/ + +override_dh_install: + dh_install --fail-missing -XlibXpm.la --- libxpm-3.5.12.orig/debian/upstream/signing-key.asc +++ libxpm-3.5.12/debian/upstream/signing-key.asc @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFeKY50BEADAX0lod3IVceb/IWJn3kTAcO2P7PWlcBiyUDaq5b2kFkliKleZ +ec4LoCHakQBlkRBMPNwOOxvADNk3tLQjBDpbYr6lQIrN+AxMGkXBhJ82T3bsDvlj +3Z1wRJ1zVA7eMIktsk0FAoJxV1y7e3sBKcP0eTlXqXvR2djhi+FW+ueJDAJIFSkb +uFirgwtX5t8nt8jCmIl75KNUKOakoENY3hLWtr16W8fO1JGkEhghI2mXcz664KTd +MPZp6JH0/8UHTHzmATOCTqNxoDtMTi2l5059Lh/nhmso9moTYqyKmaJP2rnZUr62 +97sRMG4WcxaYfWpPyO3MCmDyGeh4sW0OC06PpED3i9xMzf/kMkMdY4ZIFcLRcPtf +LIJhw+lc/GE1Rqe961IB5xCgnZezB7ZIL+ZlOAMwKGkq7lLbcZr2QZn84lpABKF0 +AvxECoJ4etmIcdbDVmsw18AhA3u9sr98hS5IXDyeos3Xwz6Abml8aPrhqhkKvo+J +Kcq9FNYHg0RRlos0TqocjDzGnUjEYrmIopLcwIu2SnsNSJTygZGtqrpT+2sGEqvm +k6Oyk95QCa580zqldvxe3CG0vrAfPvoG7irllM68TS4JcqqDHTq6eupUv9ZdIzXf +eyTHa5cytGahgVtUcui1lzqcCBkqwN8TKl+0wCcEnxRasHJy3A2Gp+AG3wARAQAB +tCJNYXR0aGlldSBIZXJyYiA8bWF0dGhpZXVAaGVycmIuZXU+iQI+BBMBAgAoBQJX +imOdAhsDBQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo ++PF1EACldzZPNYaC9H5E9sMn9pMsJTucBYVUy74Aw6MWAiAzRpxb9DmySmC2oEYW +JJkwDTwv6M0Na0ed6zD79GKtAalORz2GppZpS7uoINClElWoM5TCYph6linyv9Wj +OTlcbpX0Jqw0tdHNI2UOEjvBP3vW9kVYpEhfnHET8Ncp55j1hzoqxOhGIBE/67zc +cLAenONAvA3YN3tHTGaOaFv+vuCFRJx9FpKbGHmdUPd3MtLqtaA4EQvDvDEholEI +eWrjmdXJibSet6Amc5AIdFaQevZiADjjMh8MINw/6OEy9OB4s+z1RzgOrHgLiIZm +dlP6WrNjXQwl2gmNPhctGaSHM+j2+3gckNGlI4LQYxNtKvI4iv/CoHDYmwgrcrZO +TwFHfqt0LwqjpsU203Hw609oWYcxLeGZdITBjDz20UcfsmKQDqrBq3P1FuC5GBW3 +5bEa3wAhyE+/WKhJ94bXiHmpKsp50va3bEe17uQcYd8+E8L53aR7XP87qaHx//Mu ++OQa5Wc2d1OFHf1Mi62nbzr7pws/Mf7OSf/tnhRthuwtlfYnsUVo8usUKL/xStqo +Ul4kc/Q81AlyaZfr7dbxsQWm2q3ksLaMaAxnk0p+kMXVzXZ9GKNOgUOJdbahORs5 +RU2f44xzfNavb63u3McADtaXskl+KHB4uDbGbGESVhm5PULk37QnTWF0dGhpZXUg +SGVycmIgPG1hdHRoaWV1LmhlcnJiQGxhYXMuZnI+iQI+BBMBAgAoBQJXlJ63AhsD +BQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo+PKID/wM +II+2d11clp1X7eZgkxkAHUhI2W3NSesuFnjkkQRKQoVMokDdeSOkBhMJuWoFfbZk +jYs2VHU9029rDqcoDSqGwo2IffvrXXJ4SjOTjlvXS1lr/H2VdWRbq8ImnDwSsoiD +dWB3dZyqzf7ABKZ7ccA+NMSs6NxeEN/0+0sTJ386Zp480ByNX0uPqYSq5lX/VEke +nI8r02u2ZfuykhGkT0sM013VprfYLa+6HvF+QT9KfP220mqRbonaDkYvCxwjCMzd +rUmvyqw3VsooUpg/W/PmDNeShSuOxebaGnFyGTNvTarElCBdynFD01dqOecOqfY8 +gy+PJ1aF1qjmf+RQD/SZq+gvgyXqyBhJy7zgJnzzNWzDlUIw0ZOLyZxzFR7lRV79 +2mrGgczlQr5rLAgBy2pgwsCmP7nFx50r4ft2juugnQixoOBU/YfhBplM76EROaCc +MTs5nPEqzJ9p4SNkPcK8AroR2Ka3+f7t+XOoHpx/XhJOBYlPaUmoFkWKr0Y8BWWh +1nJxyFKrSNbwUgam8ypZzwzbI1vDiX8Ol6NpEeOLwzFNT0pyTdC9UN93M1VIyKWC +1vaeMogUREKT6SmDjRn3fISktZ0IGVf2AnFMhtgZ46TJO4BZgDdZAjTkZc/lP0yF +Nl6MpGwnaymmL50ckT77OdlfIcXFwvNPFwWlFPlcyrkCDQRXimOdARAA4otssvZm +sKg+g0bVyJHhn/YOHLYMih+Xf07xJHyalH0UCGnGdHZwl0B97G950SwQ7yVXtGa9 +CAPe97clE6dPD6jaumQ13BHavXM+ThgjCe8V56ayYcdzqFkxlCx0Uocoa63G0/cE +TiOqeqhNZs8JY+D7l83jCa4lU/1pLusbkCpCQ7d5/FFLz7QSihzJWp+UTsjbNik5 +spaseEMGFRKUcB3SZ/l1dTgc0wBQ1hlvLX+h4/sG0iUs1pVpo5ORC+bUfWRokl96 +uj5QZz5rY21FaNSP1rB1HKHNkwhxifBCHQMhYGTXvD7GH+JNyF2TdRmo7eBCfAPJ +aP3mX9t2SkCipdSsUs+Uuyib9MLA71ApW90AGiRm6HtOCxR0c3+qQRNIdFVm8mnM +hCxXRexf6Z2wZdXXy6uY0LVRgI0o31NPJPk8l2Hnb/kHGxjyUFzEWh65J/eA368d +4m8uF+Rr7WWlpQjwgWHU12kGThEVFFBFh2gmeIjYZdDDVhCi2mQ6lGSV2Pt7pZYL +/PPChWLBqrVBkIUQ0GV22nRYvGdaIv2LVPu8PggbPs/wwh35nJ3rUQyJF55CFV5y +WIWAWXfRYTKG9jkt+ncjZLEBxDO26zzO/MjIVPZxGyYryXEOgr6xp38xbyX9FpjL +KBaIueLWEyphVjBb1uUpDGx+UDYe9vbJjPUAEQEAAYkCJQQYAQIADwUCV4pjnQIb +DAUJA8JnAAAKCRBoc5PuN9Eo+D8dEACa60Q3ta6BWyHG0SOgfYGHE15LodACVHNI +N6Ou+JtmLarMW/AvPclNC25mxZV0ywLbun4CnJ9qYbt/Kx7djn48mrNa0rKN8Q+V +K5RvQA1kD890yzwu5jH6r5BQ8VBcfsPvsvatgbquzFn+NNiH9U4xRf/9BSY2Zk3G +yA15xG0T9zoklOMg8MWbeRaJPkDELyaHPWerbO7rebynePENSFPz3o3g+K9WcCM2 +xkEL571SmT4z3Mp/p0pwemWBCP2WoKCnSjAGiiHpCFru3SlZhRIvNJyK5jeS/IU6 +d5qeTBse6TXzp6Q4xkzACIN66P5SG/YY3/ONbfs6wB3lIkvVC9n7jEXjMK1T0fK8 +9DBDjzvAkJcKLLuIljjkMhRWSCED74sn+MlaWm0xMeo276EnaVILNcrHecSr8+eX +pVXSWEJ1+ErzZladJC+CrqUm0QljPV8Smtmk9MvOLHZ4qL4bI4Hu7MywuGNrLSol +qO0pAT1AjaYTRuH2MhZ6mJe/EtSl0EHXEkcDteE4jbYj3lwVhA1c/So0CdayImmD +/0tdqUfekw4va8PpbQ0wroL0XUvf3wl6HOhFhahWSqqb1fVr2slVttkaMb8M4MPt +Ka2m4qiiuGYivPIAVapSEA4DYc+krVqVXV/yDd3T7XcNtnClVo+rmOn5WiGq24am +79+hF4bWyw== +=WW1Z +-----END PGP PUBLIC KEY BLOCK----- --- libxpm-3.5.12.orig/debian/watch +++ libxpm-3.5.12/debian/watch @@ -0,0 +1,4 @@ +#git=git://anongit.freedesktop.org/xorg/lib/libXpm +version=3 +opts=pgpsigurlmangle=s/$/.sig/ \ +https://xorg.freedesktop.org/releases/individual/lib/ libXpm-(.*)\.tar\.gz --- libxpm-3.5.12.orig/debian/xpmutils.install +++ libxpm-3.5.12/debian/xpmutils.install @@ -0,0 +1,4 @@ +usr/bin/cxpm +usr/bin/sxpm +usr/share/man/man1/sxpm.1 +usr/share/man/man1/cxpm.1 --- libxpm-3.5.12.orig/sxpm/.gitignore +++ libxpm-3.5.12/sxpm/.gitignore @@ -0,0 +1,3 @@ +# Add & Override for this directory and it's subdirectories +sxpm +sxpm.po