X Strike Force XFree86 SVN commit: r2216 - in branches/4.1.0/woody/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force XFree86 SVN commit: r2216 - in branches/4.1.0/woody/debian: . patches
From: X Strike Force SVN Repository Admin <branden+svnadmin@deadbeast.net>
Date: Thu, 10 Mar 2005 17:13:31 -0500 (EST)
Message-id: <[🔎] 20050310221331.9627C5C05D@necrotic.deadbeast.net>
Reply-to: debian-x@lists.debian.org

Author: branden
Date: 2005-03-10 17:13:29 -0500 (Thu, 10 Mar 2005)
New Revision: 2216

Modified:
   branches/4.1.0/woody/debian/changelog
   branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
Log:
Merge revision 2157 from branches/4.1.0/woody-proposed updates to fix
libxpm regression that broke applications such as the GIMP.


Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog	2005-03-10 21:21:25 UTC (rev 2215)
+++ branches/4.1.0/woody/debian/changelog	2005-03-10 22:13:29 UTC (rev 2216)
@@ -5,8 +5,12 @@
       arbitrary code via a negative bitmap_unit value that leads to a buffer
       overflow.  (Closes: #298939)
 
- -- Branden Robinson <branden@debian.org>  Thu, 10 Mar 2005 15:57:40 -0500
+  * Update patch #076 (XPM library security fixes) to revert regressions in
+    functionality caused by overly aggressive validation of filespec strings
+    in OpenReadFile() and OpenWriteFile().  (Fixes #286164 for woody.)
 
+ -- Branden Robinson <branden@debian.org>  Thu, 10 Mar 2005 17:08:14 -0500
+
 xfree86 (4.1.0-16woody5) stable-security; urgency=low
 
   * Security update release.  Resolves the following issue:

Modified: branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff	2005-03-10 21:21:25 UTC (rev 2215)
+++ branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff	2005-03-10 22:13:29 UTC (rev 2216)
@@ -115,6 +115,12 @@
 vulnerabilties found during the above-mentioned source code audit are
 collectively referred to as CAN-2004-0914.
 
+Patch updated on 2005-01-25 to revert regressions in functionality caused
+by overly aggressive validation of filespec strings in OpenReadFile() and
+OpenWriteFile().  See <URL:
+https://bugs.freedesktop.org/show_bug.cgi?id=1924 > for more information.
+(It's up to the invoking application to validate filespec strings.)
+
 Chris Gilbert noticed the problem identified as CAN-2005-0605:
 
   Having just looked at the 6.8.2 release, there's a couple of issues with
@@ -784,9 +790,8 @@
      ptr = (char *) XpmMalloc(len + 1);
      if (!ptr) {
  	fclose(fp);
-diff -urN xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
---- xc~/extras/Xpm/lib/RdFToI.c	2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c	2005-03-10 15:39:08.000000000 -0500
+--- xc/extras/Xpm/lib/RdFToI.c~	2005-01-25 11:36:45.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c	2005-01-25 11:37:44.000000000 -0500
 @@ -32,6 +32,8 @@
  *  Developed by Arnaud Le Hors                                                *
  \*****************************************************************************/
@@ -819,15 +824,14 @@
      struct stat status;
  # endif
  #endif
-@@ -139,17 +148,21 @@
+@@ -139,17 +148,20 @@
  	mdata->type = XPMFILE;
      } else {
  #ifndef NO_ZPIPE
 -	int len = strlen(filename);
 +	size_t len = strlen(filename);
 +
-+	if(len == 0                        ||
-+	   filename[len-1] == '/')
++	if (len == 0)
 +		return(XpmOpenFailed);
  	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
  	    mdata->type = XPMPIPE;
@@ -846,7 +850,7 @@
  		return (XpmOpenFailed);
  
  	} else {
-@@ -157,19 +170,19 @@
+@@ -157,19 +169,19 @@
  	    if (!(compressfile = (char *) XpmMalloc(len + 4)))
  		return (XpmNoMemory);
  
@@ -872,7 +876,7 @@
  			XpmFree(compressfile);
  			return (XpmOpenFailed);
  		    }
-@@ -215,7 +228,7 @@
+@@ -215,7 +227,7 @@
  	break;
  #ifndef NO_ZPIPE
      case XPMPIPE:
@@ -902,9 +906,8 @@
  
      return XpmSuccess;
  }
-diff -urN xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
---- xc~/extras/Xpm/lib/WrFFrI.c	2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c	2005-03-10 15:39:08.000000000 -0500
+--- xc/extras/Xpm/lib/WrFFrI.c~	2005-01-25 11:36:08.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c	2005-01-25 11:38:17.000000000 -0500
 @@ -37,6 +37,8 @@
   * Lorens Younes (d93-hyo@nada.kth.se) 4/96
   */
@@ -985,17 +988,14 @@
  static int
  OpenWriteFile(filename, mdata)
      char *filename;
-@@ -312,16 +323,23 @@
+@@ -312,16 +323,20 @@
  	mdata->type = XPMFILE;
      } else {
  #ifndef NO_ZPIPE
 -	int len = strlen(filename);
 +	size_t len = strlen(filename);
 +
-+	if(len == 0                        ||
-+	   filename[0] == '/'              ||
-+	   strstr(filename, "../") != NULL ||
-+	   filename[len-1] == '/')
++	if (len == 0)
 +		return(XpmOpenFailed);
 +
  	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
@@ -1014,7 +1014,7 @@
  		return (XpmOpenFailed);
  
  	    mdata->type = XPMPIPE;
-@@ -352,7 +370,7 @@
+@@ -352,7 +367,7 @@
  	break;
  #ifndef NO_ZPIPE
      case XPMPIPE:

Reply to:

Prev by Date: X Strike Force XFree86 SVN commit: r2215 - tags
Next by Date: Bug#298886: Package: X11
Previous by thread: X Strike Force XFree86 SVN commit: r2215 - tags
Next by thread: Bug#298886: Package: X11
Index(es):
- Date
- Thread