X Strike Force XFree86 SVN commit: r2216 - in branches/4.1.0/woody/debian: . patches
Author: branden
Date: 2005-03-10 17:13:29 -0500 (Thu, 10 Mar 2005)
New Revision: 2216
Modified:
branches/4.1.0/woody/debian/changelog
branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
Log:
Merge revision 2157 from branches/4.1.0/woody-proposed updates to fix
libxpm regression that broke applications such as the GIMP.
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2005-03-10 21:21:25 UTC (rev 2215)
+++ branches/4.1.0/woody/debian/changelog 2005-03-10 22:13:29 UTC (rev 2216)
@@ -5,8 +5,12 @@
arbitrary code via a negative bitmap_unit value that leads to a buffer
overflow. (Closes: #298939)
- -- Branden Robinson <branden@debian.org> Thu, 10 Mar 2005 15:57:40 -0500
+ * Update patch #076 (XPM library security fixes) to revert regressions in
+ functionality caused by overly aggressive validation of filespec strings
+ in OpenReadFile() and OpenWriteFile(). (Fixes #286164 for woody.)
+ -- Branden Robinson <branden@debian.org> Thu, 10 Mar 2005 17:08:14 -0500
+
xfree86 (4.1.0-16woody5) stable-security; urgency=low
* Security update release. Resolves the following issue:
Modified: branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-03-10 21:21:25 UTC (rev 2215)
+++ branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-03-10 22:13:29 UTC (rev 2216)
@@ -115,6 +115,12 @@
vulnerabilties found during the above-mentioned source code audit are
collectively referred to as CAN-2004-0914.
+Patch updated on 2005-01-25 to revert regressions in functionality caused
+by overly aggressive validation of filespec strings in OpenReadFile() and
+OpenWriteFile(). See <URL:
+https://bugs.freedesktop.org/show_bug.cgi?id=1924 > for more information.
+(It's up to the invoking application to validate filespec strings.)
+
Chris Gilbert noticed the problem identified as CAN-2005-0605:
Having just looked at the 6.8.2 release, there's a couple of issues with
@@ -784,9 +790,8 @@
ptr = (char *) XpmMalloc(len + 1);
if (!ptr) {
fclose(fp);
-diff -urN xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
---- xc~/extras/Xpm/lib/RdFToI.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c 2005-03-10 15:39:08.000000000 -0500
+--- xc/extras/Xpm/lib/RdFToI.c~ 2005-01-25 11:36:45.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c 2005-01-25 11:37:44.000000000 -0500
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -819,15 +824,14 @@
struct stat status;
# endif
#endif
-@@ -139,17 +148,21 @@
+@@ -139,17 +148,20 @@
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len = strlen(filename);
+
-+ if(len == 0 ||
-+ filename[len-1] == '/')
++ if (len == 0)
+ return(XpmOpenFailed);
if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
mdata->type = XPMPIPE;
@@ -846,7 +850,7 @@
return (XpmOpenFailed);
} else {
-@@ -157,19 +170,19 @@
+@@ -157,19 +169,19 @@
if (!(compressfile = (char *) XpmMalloc(len + 4)))
return (XpmNoMemory);
@@ -872,7 +876,7 @@
XpmFree(compressfile);
return (XpmOpenFailed);
}
-@@ -215,7 +228,7 @@
+@@ -215,7 +227,7 @@
break;
#ifndef NO_ZPIPE
case XPMPIPE:
@@ -902,9 +906,8 @@
return XpmSuccess;
}
-diff -urN xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
---- xc~/extras/Xpm/lib/WrFFrI.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c 2005-03-10 15:39:08.000000000 -0500
+--- xc/extras/Xpm/lib/WrFFrI.c~ 2005-01-25 11:36:08.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c 2005-01-25 11:38:17.000000000 -0500
@@ -37,6 +37,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -985,17 +988,14 @@
static int
OpenWriteFile(filename, mdata)
char *filename;
-@@ -312,16 +323,23 @@
+@@ -312,16 +323,20 @@
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len = strlen(filename);
+
-+ if(len == 0 ||
-+ filename[0] == '/' ||
-+ strstr(filename, "../") != NULL ||
-+ filename[len-1] == '/')
++ if (len == 0)
+ return(XpmOpenFailed);
+
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
@@ -1014,7 +1014,7 @@
return (XpmOpenFailed);
mdata->type = XPMPIPE;
-@@ -352,7 +370,7 @@
+@@ -352,7 +367,7 @@
break;
#ifndef NO_ZPIPE
case XPMPIPE:
Reply to: