X Strike Force XFree86 SVN commit: r2214 - in branches/4.1.0/woody/debian: . patches
Author: branden
Date: 2005-03-10 16:03:01 -0500 (Thu, 10 Mar 2005)
New Revision: 2214
Modified:
branches/4.1.0/woody/debian/changelog
branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
Log:
Fix CAN-2005-0605: Xpm library's scan.c file may allow attackers to execute
arbitrary code via a negative bitmap_unit value that leads to a buffer
overflow. (Closes: #298939)
Create new changelog entry and set upload urgency to high.
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2005-03-10 20:49:06 UTC (rev 2213)
+++ branches/4.1.0/woody/debian/changelog 2005-03-10 21:03:01 UTC (rev 2214)
@@ -1,3 +1,12 @@
+xfree86 (4.1.0-16woody6) stable-security; urgency=high
+
+ * Security update release. Resolves the following issue:
+ + CAN-2005-0605: Xpm library's scan.c file may allow attackers to execute
+ arbitrary code via a negative bitmap_unit value that leads to a buffer
+ overflow. (Closes: #298939)
+
+ -- Branden Robinson <branden@debian.org> Thu, 10 Mar 2005 15:57:40 -0500
+
xfree86 (4.1.0-16woody5) stable-security; urgency=low
* Security update release. Resolves the following issue:
Modified: branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-03-10 20:49:06 UTC (rev 2213)
+++ branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-03-10 21:03:01 UTC (rev 2214)
@@ -1,8 +1,10 @@
$Id$
Fix several security flaws in the Xpm library. Resolves CAN-2004-0687 (libXpm
-stack overflows), CAN-2004-0688 (libXpm integer overflows), and
-CAN-2004-0914 (more integer overflows).
+stack overflows), CAN-2004-0688 (libXpm integer overflows), CAN-2004-0914
+(more integer overflows), and CAN-2005-0605 (scan.c may allow attackers to
+execute arbitrary code via a negative bitmap_unit value that leads to a
+buffer overflow).
The following text is by Chris Evans.
@@ -113,11 +115,28 @@
vulnerabilties found during the above-mentioned source code audit are
collectively referred to as CAN-2004-0914.
+Chris Gilbert noticed the problem identified as CAN-2005-0605:
+
+ Having just looked at the 6.8.2 release, there's a couple of issues with
+ the patch. In a few places the code does:
+
+ unsigned int i;
+
+ for (i = nbytes; --i >=0;)
+ *dst++ = *src++;
+
+ The compiler obviously says that i is unsigned, so i is never negative,
+ and so --i>=0 will wrap i to UINT_MAX, so is always true.
+
+ The two places are create.c PutImagePixels and scan.c GetImagePixels.
+
+ ( https://bugs.freedesktop.org/show_bug.cgi?id=1920 )
+
This patch by Matthieu Herrb and others.
diff -urN xc~/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
---- xc~/extras/Xpm/lib/Attrib.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/Attrib.c 2004-12-01 23:18:08.000000000 -0500
+--- xc~/extras/Xpm/lib/Attrib.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/Attrib.c 2005-03-10 15:39:08.000000000 -0500
@@ -32,13 +32,15 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -175,8 +194,8 @@
if (ext->name)
XpmFree(ext->name);
diff -urN xc~/extras/Xpm/lib/CrBufFrI.c xc/extras/Xpm/lib/CrBufFrI.c
---- xc~/extras/Xpm/lib/CrBufFrI.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/CrBufFrI.c 2004-12-01 23:18:43.000000000 -0500
+--- xc~/extras/Xpm/lib/CrBufFrI.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/CrBufFrI.c 2005-03-10 15:39:08.000000000 -0500
@@ -32,21 +32,25 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -482,8 +501,8 @@
size += 5 + strlen(info->hints_cmt);
diff -urN xc~/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/CrDatFrI.c
---- xc~/extras/Xpm/lib/CrDatFrI.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/CrDatFrI.c 2004-12-01 23:19:23.000000000 -0500
+--- xc~/extras/Xpm/lib/CrDatFrI.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/CrDatFrI.c 2005-03-10 15:39:08.000000000 -0500
@@ -32,13 +32,16 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -714,8 +733,8 @@
strcpy(*dataptr, *line);
a++;
diff -urN xc~/extras/Xpm/lib/Imakefile xc/extras/Xpm/lib/Imakefile
---- xc~/extras/Xpm/lib/Imakefile 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/Imakefile 2004-12-01 23:13:30.000000000 -0500
+--- xc~/extras/Xpm/lib/Imakefile 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/Imakefile 2005-03-10 15:39:08.000000000 -0500
@@ -104,13 +104,15 @@
CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
@@ -735,8 +754,8 @@
INCLUDES = -I.
LINTLIBS = $(LINTXTOLL) $(LINTXLIB)
diff -urN xc~/extras/Xpm/lib/RdFToBuf.c xc/extras/Xpm/lib/RdFToBuf.c
---- xc~/extras/Xpm/lib/RdFToBuf.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToBuf.c 2004-12-01 23:13:30.000000000 -0500
+--- xc~/extras/Xpm/lib/RdFToBuf.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToBuf.c 2005-03-10 15:39:08.000000000 -0500
@@ -37,6 +37,8 @@
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
@@ -766,8 +785,8 @@
if (!ptr) {
fclose(fp);
diff -urN xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
---- xc~/extras/Xpm/lib/RdFToI.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c 2004-12-01 23:22:05.000000000 -0500
+--- xc~/extras/Xpm/lib/RdFToI.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c 2005-03-10 15:39:08.000000000 -0500
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -863,8 +882,8 @@
#endif
}
diff -urN xc~/extras/Xpm/lib/WrFFrBuf.c xc/extras/Xpm/lib/WrFFrBuf.c
---- xc~/extras/Xpm/lib/WrFFrBuf.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrBuf.c 2004-12-01 23:13:30.000000000 -0500
+--- xc~/extras/Xpm/lib/WrFFrBuf.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrBuf.c 2005-03-10 15:39:08.000000000 -0500
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -884,8 +903,8 @@
return XpmSuccess;
}
diff -urN xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
---- xc~/extras/Xpm/lib/WrFFrI.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c 2004-12-01 23:23:02.000000000 -0500
+--- xc~/extras/Xpm/lib/WrFFrI.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c 2005-03-10 15:39:08.000000000 -0500
@@ -37,6 +37,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -1005,8 +1024,8 @@
#endif
}
diff -urN xc~/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/XpmI.h
---- xc/extras/Xpm/lib/XpmI.h~ 2004-12-02 00:00:43.000000000 -0500
-+++ xc/extras/Xpm/lib/XpmI.h 2004-12-02 00:02:22.000000000 -0500
+--- xc~/extras/Xpm/lib/XpmI.h 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/XpmI.h 2005-03-10 15:39:08.000000000 -0500
@@ -49,6 +49,7 @@
* lets try to solve include files
*/
@@ -1048,8 +1067,8 @@
} xpmHashTable;
diff -urN xc~/extras/Xpm/lib/create.c xc/extras/Xpm/lib/create.c
---- xc~/extras/Xpm/lib/create.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/create.c 2004-12-01 23:25:47.000000000 -0500
+--- xc~/extras/Xpm/lib/create.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/create.c 2005-03-10 15:43:18.000000000 -0500
@@ -43,6 +43,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -1160,16 +1179,19 @@
return 0;
}
-@@ -1204,7 +1216,7 @@
+@@ -1204,18 +1216,18 @@
register char *src;
register char *dst;
register unsigned int *iptr;
- register int x, y, i;
-+ register unsigned int x, y, i;
++ register unsigned int x, y;
register char *data;
Pixel pixel, px;
- int nbytes, depth, ibu, ibpp;
-@@ -1214,8 +1226,8 @@
+- int nbytes, depth, ibu, ibpp;
++ int nbytes, depth, ibu, ibpp, i;
+
+ data = image->data;
+ iptr = pixelindex;
depth = image->depth;
if (depth == 1) {
ibu = image->bitmap_unit;
@@ -1449,8 +1471,8 @@
if (USE_HASHTABLE) {
xpmHashAtom *slot;
diff -urN xc~/extras/Xpm/lib/data.c xc/extras/Xpm/lib/data.c
---- xc~/extras/Xpm/lib/data.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/data.c 2004-12-01 23:26:45.000000000 -0500
+--- xc~/extras/Xpm/lib/data.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/data.c 2005-03-10 15:39:08.000000000 -0500
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -1501,8 +1523,8 @@
if (data->type) {
diff -urN xc~/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/hashtab.c
---- xc~/extras/Xpm/lib/hashtab.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/hashtab.c 2004-12-01 23:26:57.000000000 -0500
+--- xc~/extras/Xpm/lib/hashtab.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/hashtab.c 2005-03-10 15:39:08.000000000 -0500
@@ -135,15 +135,17 @@
xpmHashTable *table;
{
@@ -1533,8 +1555,8 @@
if (!atomTable)
return (XpmNoMemory);
diff -urN xc~/extras/Xpm/lib/misc.c xc/extras/Xpm/lib/misc.c
---- xc~/extras/Xpm/lib/misc.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/misc.c 2004-12-01 23:13:30.000000000 -0500
+--- xc~/extras/Xpm/lib/misc.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/misc.c 2005-03-10 15:39:08.000000000 -0500
@@ -44,7 +44,7 @@
char *s1;
{
@@ -1545,8 +1567,8 @@
if (s2 = (char *) XpmMalloc(l))
strcpy(s2, s1);
diff -urN xc~/extras/Xpm/lib/parse.c xc/extras/Xpm/lib/parse.c
---- xc~/extras/Xpm/lib/parse.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/parse.c 2004-12-01 23:16:39.000000000 -0500
+--- xc~/extras/Xpm/lib/parse.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/parse.c 2005-03-10 15:39:08.000000000 -0500
@@ -39,10 +39,30 @@
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
@@ -1844,7 +1866,7 @@
* store found informations in the XpmImage structure
diff -urN xc~/extras/Xpm/lib/s_popen.c xc/extras/Xpm/lib/s_popen.c
--- xc~/extras/Xpm/lib/s_popen.c 1969-12-31 19:00:00.000000000 -0500
-+++ xc/extras/Xpm/lib/s_popen.c 2004-12-01 23:13:30.000000000 -0500
++++ xc/extras/Xpm/lib/s_popen.c 2005-03-10 15:39:08.000000000 -0500
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2004 The X.Org fundation
@@ -2028,8 +2050,8 @@
+}
+
diff -urN xc~/extras/Xpm/lib/scan.c xc/extras/Xpm/lib/scan.c
---- xc~/extras/Xpm/lib/scan.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/scan.c 2004-12-01 23:28:46.000000000 -0500
+--- xc~/extras/Xpm/lib/scan.c 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/scan.c 2005-03-10 15:43:18.000000000 -0500
@@ -42,6 +42,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -2185,16 +2207,28 @@
defaults[key] = (char *) xpmstrdup(s);
}
}
-@@ -603,7 +620,7 @@
+@@ -603,8 +620,8 @@
char *dst;
unsigned int *iptr;
char *data;
- int x, y, i;
-+ unsigned int x, y, i;
- int bits, depth, ibu, ibpp, offset;
+- int bits, depth, ibu, ibpp, offset;
++ unsigned int x, y;
++ int bits, depth, ibu, ibpp, offset, i;
unsigned long lbt;
Pixel pixel, px;
-@@ -705,7 +722,7 @@
+
+@@ -615,6 +632,9 @@
+ ibpp = image->bits_per_pixel;
+ offset = image->xoffset;
+
++ if (image->bitmap_unit < 0)
++ return (XpmNoMemory);
++
+ if ((image->bits_per_pixel | image->depth) == 1) {
+ ibu = image->bitmap_unit;
+ for (y = 0; y < height; y++)
+@@ -705,7 +725,7 @@
unsigned char *addr;
unsigned char *data;
unsigned int *iptr;
@@ -2203,7 +2237,7 @@
unsigned long lbt;
Pixel pixel;
int depth;
-@@ -770,7 +787,7 @@
+@@ -770,7 +790,7 @@
unsigned char *addr;
unsigned char *data;
unsigned int *iptr;
@@ -2212,7 +2246,7 @@
unsigned long lbt;
Pixel pixel;
int depth;
-@@ -815,7 +832,7 @@
+@@ -815,7 +835,7 @@
{
unsigned int *iptr;
unsigned char *data;
@@ -2221,7 +2255,7 @@
unsigned long lbt;
Pixel pixel;
int depth;
-@@ -845,10 +862,10 @@
+@@ -845,10 +865,10 @@
unsigned int width;
unsigned int height;
PixelsMap *pmap;
@@ -2234,7 +2268,7 @@
char *data;
Pixel pixel;
int xoff, yoff, offset, bpl;
-@@ -884,11 +901,11 @@
+@@ -884,11 +904,11 @@
# else /* AMIGA */
#define CLEAN_UP(status) \
@@ -2248,7 +2282,7 @@
static int
AGetImagePixels (
-@@ -909,7 +926,7 @@
+@@ -909,7 +929,7 @@
tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);
if (tmp_img == NULL)
@@ -2257,7 +2291,7 @@
iptr = pmap->pixelindex;
for (y = 0; y < height; ++y)
-@@ -918,11 +935,11 @@
+@@ -918,11 +938,11 @@
for (x = 0; x < width; ++x, ++iptr)
{
if ((*storeFunc) (pixels[x], pmap, iptr))
@@ -2272,8 +2306,8 @@
#undef CLEAN_UP
diff -urN xc~/extras/Xpm/lib/xpm.h xc/extras/Xpm/lib/xpm.h
---- xc~/extras/Xpm/lib/xpm.h 1999-01-11 08:23:11.000000000 -0500
-+++ xc/extras/Xpm/lib/xpm.h 2004-12-01 23:29:05.000000000 -0500
+--- xc~/extras/Xpm/lib/xpm.h 2005-03-10 15:38:09.000000000 -0500
++++ xc/extras/Xpm/lib/xpm.h 2005-03-10 15:39:08.000000000 -0500
@@ -392,7 +392,7 @@
FUNC(XpmReadFileToData, int, (char *filename, char ***data_return));
FUNC(XpmWriteFileFromData, int, (char *filename, char **data));
@@ -2293,8 +2327,8 @@
/* XpmImage functions */
FUNC(XpmReadFileToXpmImage, int, (char *filename,
diff -urN xc~/lib/Xpm/Imakefile xc/lib/Xpm/Imakefile
---- xc~/lib/Xpm/Imakefile 2004-12-01 23:11:42.000000000 -0500
-+++ xc/lib/Xpm/Imakefile 2004-12-01 23:13:31.000000000 -0500
+--- xc~/lib/Xpm/Imakefile 2005-03-10 15:38:09.000000000 -0500
++++ xc/lib/Xpm/Imakefile 2005-03-10 15:39:08.000000000 -0500
@@ -42,11 +42,24 @@
SPRINTFDEF = -DVOID_SPRINTF
#endif
Reply to: