X Strike Force XFree86 SVN commit: r2157 - in branches/4.1.0/woody-proposed-updates/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force XFree86 SVN commit: r2157 - in branches/4.1.0/woody-proposed-updates/debian: . patches
From: X Strike Force SVN Repository Admin <branden+svnadmin@deadbeast.net>
Date: Tue, 25 Jan 2005 11:45:24 -0500 (EST)
Message-id: <[🔎] 20050125164524.4155E5C05D@necrotic.deadbeast.net>
Reply-to: debian-x@lists.debian.org

Author: branden
Date: 2005-01-25 11:45:22 -0500 (Tue, 25 Jan 2005)
New Revision: 2157

Modified:
   branches/4.1.0/woody-proposed-updates/debian/changelog
   branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
Log:
Update patch #076 (XPM library security fixes) to revert regressions in
functionality caused by overly aggressive validation of filespec strings
in OpenReadFile() and OpenWriteFile().  (Fixes #286164 for woody.)


Modified: branches/4.1.0/woody-proposed-updates/debian/changelog
===================================================================
--- branches/4.1.0/woody-proposed-updates/debian/changelog	2005-01-25 16:20:17 UTC (rev 2156)
+++ branches/4.1.0/woody-proposed-updates/debian/changelog	2005-01-25 16:45:22 UTC (rev 2157)
@@ -1,3 +1,11 @@
+xfree86 (4.1.0-16woody6) stable-security; urgency=low
+
+  * Update patch #076 (XPM library security fixes) to revert regressions in
+    functionality caused by overly aggressive validation of filespec strings
+    in OpenReadFile() and OpenWriteFile().  (Fixes #286164 for woody.)
+
+ -- Branden Robinson <branden@debian.org>  Tue, 25 Jan 2005 11:42:03 -0500
+
 xfree86 (4.1.0-16woody5) stable-security; urgency=low
 
   * Security update release.  Resolves the following issue:

Modified: branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff	2005-01-25 16:20:17 UTC (rev 2156)
+++ branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff	2005-01-25 16:45:22 UTC (rev 2157)
@@ -113,6 +113,12 @@
 vulnerabilties found during the above-mentioned source code audit are
 collectively referred to as CAN-2004-0914.
 
+Patch updated on 2005-01-25 to revert regressions in functionality caused
+by overly aggressive validation of filespec strings in OpenReadFile() and
+OpenWriteFile().  See <URL:
+https://bugs.freedesktop.org/show_bug.cgi?id=1924 > for more information.
+(It's up to the invoking application to validate filespec strings.)
+
 This patch by Matthieu Herrb and others.
 
 diff -urN xc~/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
@@ -765,9 +771,8 @@
      ptr = (char *) XpmMalloc(len + 1);
      if (!ptr) {
  	fclose(fp);
-diff -urN xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
---- xc~/extras/Xpm/lib/RdFToI.c	2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c	2004-12-01 23:22:05.000000000 -0500
+--- xc/extras/Xpm/lib/RdFToI.c~	2005-01-25 11:36:45.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c	2005-01-25 11:37:44.000000000 -0500
 @@ -32,6 +32,8 @@
  *  Developed by Arnaud Le Hors                                                *
  \*****************************************************************************/
@@ -800,15 +805,14 @@
      struct stat status;
  # endif
  #endif
-@@ -139,17 +148,21 @@
+@@ -139,17 +148,20 @@
  	mdata->type = XPMFILE;
      } else {
  #ifndef NO_ZPIPE
 -	int len = strlen(filename);
 +	size_t len = strlen(filename);
 +
-+	if(len == 0                        ||
-+	   filename[len-1] == '/')
++	if (len == 0)
 +		return(XpmOpenFailed);
  	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
  	    mdata->type = XPMPIPE;
@@ -827,7 +831,7 @@
  		return (XpmOpenFailed);
  
  	} else {
-@@ -157,19 +170,19 @@
+@@ -157,19 +169,19 @@
  	    if (!(compressfile = (char *) XpmMalloc(len + 4)))
  		return (XpmNoMemory);
  
@@ -853,7 +857,7 @@
  			XpmFree(compressfile);
  			return (XpmOpenFailed);
  		    }
-@@ -215,7 +228,7 @@
+@@ -215,7 +227,7 @@
  	break;
  #ifndef NO_ZPIPE
      case XPMPIPE:
@@ -883,9 +887,8 @@
  
      return XpmSuccess;
  }
-diff -urN xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
---- xc~/extras/Xpm/lib/WrFFrI.c	2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c	2004-12-01 23:23:02.000000000 -0500
+--- xc/extras/Xpm/lib/WrFFrI.c~	2005-01-25 11:36:08.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c	2005-01-25 11:38:17.000000000 -0500
 @@ -37,6 +37,8 @@
   * Lorens Younes (d93-hyo@nada.kth.se) 4/96
   */
@@ -966,17 +969,14 @@
  static int
  OpenWriteFile(filename, mdata)
      char *filename;
-@@ -312,16 +323,23 @@
+@@ -312,16 +323,20 @@
  	mdata->type = XPMFILE;
      } else {
  #ifndef NO_ZPIPE
 -	int len = strlen(filename);
 +	size_t len = strlen(filename);
 +
-+	if(len == 0                        ||
-+	   filename[0] == '/'              ||
-+	   strstr(filename, "../") != NULL ||
-+	   filename[len-1] == '/')
++	if (len == 0)
 +		return(XpmOpenFailed);
 +
  	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
@@ -995,7 +995,7 @@
  		return (XpmOpenFailed);
  
  	    mdata->type = XPMPIPE;
-@@ -352,7 +370,7 @@
+@@ -352,7 +367,7 @@
  	break;
  #ifndef NO_ZPIPE
      case XPMPIPE:

Reply to:

Prev by Date: Processed: tagging 213076, tagging 217505, tagging 266274, tagging 286667, tagging 290935
Next by Date: X Strike Force XFree86 SVN commit: r2158 - branches/4.1.0/woody-proposed-updates/debian
Previous by thread: Processed: tagging 213076, tagging 217505, tagging 266274, tagging 286667, tagging 290935
Next by thread: X Strike Force XFree86 SVN commit: r2158 - branches/4.1.0/woody-proposed-updates/debian
Index(es):
- Date
- Thread