X Strike Force XFree86 SVN commit: r2217 - in trunk/debian: . patches
Author: branden
Date: 2005-03-13 01:55:39 -0500 (Sun, 13 Mar 2005)
New Revision: 2217
Modified:
trunk/debian/CHANGESETS
trunk/debian/TODO
trunk/debian/changelog
trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff
Log:
Fix CAN-2005-0605: libxpm4's scan.c file may allow attackers to execute
arbitrary code via a negative bitmap_unit value that leads to a buffer
overflow. (Closes: #299272)
Modified: trunk/debian/CHANGESETS
===================================================================
--- trunk/debian/CHANGESETS 2005-03-10 22:13:29 UTC (rev 2216)
+++ trunk/debian/CHANGESETS 2005-03-13 06:55:39 UTC (rev 2217)
@@ -12,4 +12,9 @@
Fernández-Sanguino Peña). (Closes: #298538)
2207
+Fix CAN-2005-0605: libxpm4's scan.c file may allow attackers to execute
+arbitrary code via a negative bitmap_unit value that leads to a buffer
+overflow. (Closes: #299272)
+ 2217
+
vim:set ai et sts=4 sw=4 tw=80:
Modified: trunk/debian/TODO
===================================================================
--- trunk/debian/TODO 2005-03-10 22:13:29 UTC (rev 2216)
+++ trunk/debian/TODO 2005-03-13 06:55:39 UTC (rev 2217)
@@ -16,7 +16,6 @@
4.3.0.dfsg.1-13
---------------
-* Fix CAN-2005-0605 (Debian #298939).
* Update FAQ:
+ Nuke references to ViewCVS.
+ Fix URLs to point to Apache-served SVN repositories.
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-03-10 22:13:29 UTC (rev 2216)
+++ trunk/debian/changelog 2005-03-13 06:55:39 UTC (rev 2217)
@@ -1,12 +1,20 @@
-xfree86 (4.3.0.dfsg.1-12+SVN) unstable; urgency=low
+xfree86 (4.3.0.dfsg.1-12+SVN) unstable; urgency=high
+ Urgency set to high due to fix for security flaw CAN-2005-0605 (see below).
+
Changes by Denis Barbier:
* Update Spanish debconf template translations (thanks, Javier
Fernández-Sanguino Peña). (Closes: #298538)
- -- Branden Robinson <branden@debian.org> Sat, 19 Feb 2005 02:28:21 -0500
+ Changes by Branden Robinson:
+ * Fix CAN-2005-0605: libxpm4's scan.c file may allow attackers to execute
+ arbitrary code via a negative bitmap_unit value that leads to a buffer
+ overflow. (Closes: #299272)
+
+ -- Branden Robinson <branden@debian.org> Sun, 13 Mar 2005 01:51:58 -0500
+
xfree86 (4.3.0.dfsg.1-12) unstable; urgency=medium
* Urgency set to medium due to fix for release-critical bug #295175
Modified: trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff 2005-03-10 22:13:29 UTC (rev 2216)
+++ trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff 2005-03-13 06:55:39 UTC (rev 2217)
@@ -1,8 +1,10 @@
$Id$
Fix several security flaws in the Xpm library. Resolves CAN-2004-0687 (libXpm
-stack overflows), CAN-2004-0688 (libXpm integer overflows), and
-CAN-2004-0914 (more integer overflows).
+stack overflows), CAN-2004-0688 (libXpm integer overflows), CAN-2004-0914
+(more integer overflows), and CAN-2005-0605 (scan.c may allow attackers to
+execute arbitrary code via a negative bitmap_unit value that leads to a
+buffer overflow).
The following text is by Chris Evans.
@@ -118,11 +120,28 @@
https://bugs.freedesktop.org/show_bug.cgi?id=1924 > for more information.
(It's up to the invoking application to validate filespec strings.)
+Chris Gilbert noticed the problem identified as CAN-2005-0605:
+
+ Having just looked at the 6.8.2 release, there's a couple of issues with
+ the patch. In a few places the code does:
+
+ unsigned int i;
+
+ for (i = nbytes; --i >=0;)
+ *dst++ = *src++;
+
+ The compiler obviously says that i is unsigned, so i is never negative,
+ and so --i>=0 will wrap i to UINT_MAX, so is always true.
+
+ The two places are create.c PutImagePixels and scan.c GetImagePixels.
+
+ ( https://bugs.freedesktop.org/show_bug.cgi?id=1920 )
+
This patch by Matthieu Herrb and others.
-diff -urN xc-old/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
---- xc-old/extras/Xpm/lib/Attrib.c 1999-01-11 13:23:09.000000000 +0000
-+++ xc/extras/Xpm/lib/Attrib.c 2004-11-19 10:54:10.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
+--- xc~/extras/Xpm/lib/Attrib.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/Attrib.c 2005-03-13 01:34:39.000000000 -0500
@@ -32,13 +32,15 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -179,9 +198,9 @@
for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
if (ext->name)
XpmFree(ext->name);
-diff -urN xc-old/extras/Xpm/lib/CrBufFrI.c xc/extras/Xpm/lib/CrBufFrI.c
---- xc-old/extras/Xpm/lib/CrBufFrI.c 2001-10-28 03:32:09.000000000 +0000
-+++ xc/extras/Xpm/lib/CrBufFrI.c 2004-11-19 10:54:49.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/CrBufFrI.c xc/extras/Xpm/lib/CrBufFrI.c
+--- xc~/extras/Xpm/lib/CrBufFrI.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/CrBufFrI.c 2005-03-13 01:34:39.000000000 -0500
@@ -31,6 +31,9 @@
* *
* Developed by Arnaud Le Hors *
@@ -486,9 +505,9 @@
if (info->hints_cmt)
size += 5 + strlen(info->hints_cmt);
-diff -urN xc-old/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/CrDatFrI.c
---- xc-old/extras/Xpm/lib/CrDatFrI.c 2001-10-28 03:32:09.000000000 +0000
-+++ xc/extras/Xpm/lib/CrDatFrI.c 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/CrDatFrI.c
+--- xc~/extras/Xpm/lib/CrDatFrI.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/CrDatFrI.c 2005-03-13 01:34:39.000000000 -0500
@@ -33,13 +33,16 @@
\*****************************************************************************/
/* $XFree86: xc/extras/Xpm/lib/CrDatFrI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
@@ -717,9 +736,9 @@
for (y = 0, line = ext->lines; y < b; y++, line++) {
strcpy(*dataptr, *line);
a++;
-diff -urN xc-old/extras/Xpm/lib/Imakefile xc/extras/Xpm/lib/Imakefile
---- xc-old/extras/Xpm/lib/Imakefile 1999-01-11 13:23:08.000000000 +0000
-+++ xc/extras/Xpm/lib/Imakefile 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/Imakefile xc/extras/Xpm/lib/Imakefile
+--- xc~/extras/Xpm/lib/Imakefile 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/Imakefile 2005-03-13 01:34:39.000000000 -0500
@@ -104,13 +104,15 @@
CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
@@ -738,9 +757,9 @@
INCLUDES = -I.
LINTLIBS = $(LINTXTOLL) $(LINTXLIB)
-diff -urN xc-old/extras/Xpm/lib/RdFToBuf.c xc/extras/Xpm/lib/RdFToBuf.c
---- xc-old/extras/Xpm/lib/RdFToBuf.c 1999-01-11 13:23:10.000000000 +0000
-+++ xc/extras/Xpm/lib/RdFToBuf.c 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/RdFToBuf.c xc/extras/Xpm/lib/RdFToBuf.c
+--- xc~/extras/Xpm/lib/RdFToBuf.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToBuf.c 2005-03-13 01:34:39.000000000 -0500
@@ -37,6 +37,8 @@
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
@@ -769,8 +788,9 @@
ptr = (char *) XpmMalloc(len + 1);
if (!ptr) {
fclose(fp);
---- xc/extras/Xpm~/lib/RdFToI.c 2005-01-21 13:39:11.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c 2005-01-21 13:41:42.000000000 -0500
+diff -urN xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
+--- xc~/extras/Xpm/lib/RdFToI.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c 2005-03-13 01:34:39.000000000 -0500
@@ -33,6 +33,8 @@
\*****************************************************************************/
/* $XFree86: xc/extras/Xpm/lib/RdFToI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
@@ -854,9 +874,9 @@
break;
#endif
}
-diff -urN xc-old/extras/Xpm/lib/WrFFrBuf.c xc/extras/Xpm/lib/WrFFrBuf.c
---- xc-old/extras/Xpm/lib/WrFFrBuf.c 1999-01-11 13:23:10.000000000 +0000
-+++ xc/extras/Xpm/lib/WrFFrBuf.c 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/WrFFrBuf.c xc/extras/Xpm/lib/WrFFrBuf.c
+--- xc~/extras/Xpm/lib/WrFFrBuf.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrBuf.c 2005-03-13 01:34:39.000000000 -0500
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -875,8 +895,9 @@
return XpmSuccess;
}
---- xc/extras/Xpm~/lib/WrFFrI.c 2005-01-21 13:39:11.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c 2005-01-21 13:40:39.000000000 -0500
+diff -urN xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
+--- xc~/extras/Xpm/lib/WrFFrI.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c 2005-03-13 01:34:39.000000000 -0500
@@ -38,6 +38,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -971,9 +992,9 @@
break;
#endif
}
-diff -urN xc-old/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/XpmI.h
---- xc-old/extras/Xpm/lib/XpmI.h 2002-01-07 19:40:23.000000000 +0000
-+++ xc/extras/Xpm/lib/XpmI.h 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/XpmI.h
+--- xc~/extras/Xpm/lib/XpmI.h 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/XpmI.h 2005-03-13 01:34:39.000000000 -0500
@@ -49,8 +49,10 @@
* lets try to solve include files
*/
@@ -1017,9 +1038,9 @@
xpmHashAtom *atomTable;
} xpmHashTable;
-diff -urN xc-old/extras/Xpm/lib/create.c xc/extras/Xpm/lib/create.c
---- xc-old/extras/Xpm/lib/create.c 2002-01-07 19:40:49.000000000 +0000
-+++ xc/extras/Xpm/lib/create.c 2004-11-19 10:56:54.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/create.c xc/extras/Xpm/lib/create.c
+--- xc~/extras/Xpm/lib/create.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/create.c 2005-03-13 01:39:04.000000000 -0500
@@ -1,3 +1,4 @@
+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
/*
@@ -1107,16 +1128,19 @@
return 0;
}
-@@ -1204,7 +1218,7 @@
+@@ -1204,18 +1218,18 @@
register char *src;
register char *dst;
register unsigned int *iptr;
- register int x, y, i;
-+ register unsigned int x, y, i;
++ register unsigned int x, y;
register char *data;
Pixel pixel, px;
- int nbytes, depth, ibu, ibpp;
-@@ -1214,8 +1228,8 @@
+- int nbytes, depth, ibu, ibpp;
++ int nbytes, depth, ibu, ibpp, i;
+
+ data = image->data;
+ iptr = pixelindex;
depth = image->depth;
if (depth == 1) {
ibu = image->bitmap_unit;
@@ -1367,9 +1391,9 @@
buf[cpp] = '\0';
if (USE_HASHTABLE) {
xpmHashAtom *slot;
-diff -urN xc-old/extras/Xpm/lib/data.c xc/extras/Xpm/lib/data.c
---- xc-old/extras/Xpm/lib/data.c 2002-01-07 19:40:49.000000000 +0000
-+++ xc/extras/Xpm/lib/data.c 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/data.c xc/extras/Xpm/lib/data.c
+--- xc~/extras/Xpm/lib/data.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/data.c 2005-03-13 01:34:39.000000000 -0500
@@ -33,6 +33,8 @@
\*****************************************************************************/
/* $XFree86: xc/extras/Xpm/lib/data.c,v 1.4 2002/01/07 19:40:49 dawes Exp $ */
@@ -1409,9 +1433,9 @@
int l, n = 0;
if (data->type) {
-diff -urN xc-old/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/hashtab.c
---- xc-old/extras/Xpm/lib/hashtab.c 1999-01-11 13:23:11.000000000 +0000
-+++ xc/extras/Xpm/lib/hashtab.c 2004-11-19 10:57:39.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/hashtab.c
+--- xc~/extras/Xpm/lib/hashtab.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/hashtab.c 2005-03-13 01:34:39.000000000 -0500
@@ -135,15 +135,17 @@
xpmHashTable *table;
{
@@ -1441,9 +1465,9 @@
atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
if (!atomTable)
return (XpmNoMemory);
-diff -urN xc-old/extras/Xpm/lib/misc.c xc/extras/Xpm/lib/misc.c
---- xc-old/extras/Xpm/lib/misc.c 1999-01-11 13:23:11.000000000 +0000
-+++ xc/extras/Xpm/lib/misc.c 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/misc.c xc/extras/Xpm/lib/misc.c
+--- xc~/extras/Xpm/lib/misc.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/misc.c 2005-03-13 01:34:39.000000000 -0500
@@ -44,7 +44,7 @@
char *s1;
{
@@ -1453,9 +1477,9 @@
if (s2 = (char *) XpmMalloc(l))
strcpy(s2, s1);
-diff -urN xc-old/extras/Xpm/lib/parse.c xc/extras/Xpm/lib/parse.c
---- xc-old/extras/Xpm/lib/parse.c 2001-10-28 03:32:10.000000000 +0000
-+++ xc/extras/Xpm/lib/parse.c 2004-11-19 10:58:38.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/parse.c xc/extras/Xpm/lib/parse.c
+--- xc~/extras/Xpm/lib/parse.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/parse.c 2005-03-13 01:34:39.000000000 -0500
@@ -1,3 +1,4 @@
+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
/*
@@ -1727,9 +1751,9 @@
/*
* This function parses an Xpm file or data and store the found informations
-diff -urN xc-old/extras/Xpm/lib/s_popen.c xc/extras/Xpm/lib/s_popen.c
---- xc-old/extras/Xpm/lib/s_popen.c 1970-01-01 00:00:00.000000000 +0000
-+++ xc/extras/Xpm/lib/s_popen.c 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/s_popen.c xc/extras/Xpm/lib/s_popen.c
+--- xc~/extras/Xpm/lib/s_popen.c 1969-12-31 19:00:00.000000000 -0500
++++ xc/extras/Xpm/lib/s_popen.c 2005-03-13 01:34:39.000000000 -0500
@@ -0,0 +1,181 @@
+/*
+ * Copyright (C) 2004 The X.Org fundation
@@ -1912,9 +1936,9 @@
+ }
+}
+
-diff -urN xc-old/extras/Xpm/lib/scan.c xc/extras/Xpm/lib/scan.c
---- xc-old/extras/Xpm/lib/scan.c 2002-01-07 19:40:49.000000000 +0000
-+++ xc/extras/Xpm/lib/scan.c 2004-11-19 10:59:17.000000000 +0000
+diff -urN xc~/extras/Xpm/lib/scan.c xc/extras/Xpm/lib/scan.c
+--- xc~/extras/Xpm/lib/scan.c 2005-03-13 01:32:36.000000000 -0500
++++ xc/extras/Xpm/lib/scan.c 2005-03-13 01:39:04.000000000 -0500
@@ -43,6 +43,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -2002,16 +2026,28 @@
xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
if (!xcolors)
return (XpmNoMemory);
-@@ -607,7 +621,7 @@
+@@ -607,8 +621,8 @@
char *dst;
unsigned int *iptr;
char *data;
- int x, y, i;
-+ unsigned int x, y, i;
- int bits, depth, ibu, ibpp, offset;
+- int bits, depth, ibu, ibpp, offset;
++ unsigned int x, y;
++ int bits, depth, ibu, ibpp, offset, i;
unsigned long lbt;
Pixel pixel, px;
-@@ -709,7 +723,7 @@
+
+@@ -619,6 +633,9 @@
+ ibpp = image->bits_per_pixel;
+ offset = image->xoffset;
+
++ if (image->bitmap_unit < 0)
++ return (XpmNoMemory);
++
+ if ((image->bits_per_pixel | image->depth) == 1) {
+ ibu = image->bitmap_unit;
+ for (y = 0; y < height; y++)
+@@ -709,7 +726,7 @@
unsigned char *addr;
unsigned char *data;
unsigned int *iptr;
@@ -2020,7 +2056,7 @@
unsigned long lbt;
Pixel pixel;
int depth;
-@@ -774,7 +788,7 @@
+@@ -774,7 +791,7 @@
unsigned char *addr;
unsigned char *data;
unsigned int *iptr;
@@ -2029,7 +2065,7 @@
unsigned long lbt;
Pixel pixel;
int depth;
-@@ -819,7 +833,7 @@
+@@ -819,7 +836,7 @@
{
unsigned int *iptr;
unsigned char *data;
@@ -2038,7 +2074,7 @@
unsigned long lbt;
Pixel pixel;
int depth;
-@@ -852,7 +866,7 @@
+@@ -852,7 +869,7 @@
storeFuncPtr storeFunc;
{
unsigned int *iptr;
@@ -2047,7 +2083,7 @@
char *data;
Pixel pixel;
int xoff, yoff, offset, bpl;
-@@ -888,11 +902,11 @@
+@@ -888,11 +905,11 @@
# else /* AMIGA */
#define CLEAN_UP(status) \
@@ -2061,7 +2097,7 @@
static int
AGetImagePixels (
-@@ -913,7 +927,7 @@
+@@ -913,7 +930,7 @@
tmp_img = AllocXImage ((((width+15)>>4)<<4), 1, image->rp->BitMap->Depth);
if (tmp_img == NULL)
@@ -2070,7 +2106,7 @@
iptr = pmap->pixelindex;
for (y = 0; y < height; ++y)
-@@ -922,11 +936,11 @@
+@@ -922,11 +939,11 @@
for (x = 0; x < width; ++x, ++iptr)
{
if ((*storeFunc) (pixels[x], pmap, iptr))
@@ -2084,9 +2120,9 @@
}
#undef CLEAN_UP
-diff -urN xc-old/lib/Xpm/Imakefile xc/lib/Xpm/Imakefile
---- xc-old/lib/Xpm/Imakefile 2000-09-19 12:46:06.000000000 +0000
-+++ xc/lib/Xpm/Imakefile 2004-11-19 10:52:29.000000000 +0000
+diff -urN xc~/lib/Xpm/Imakefile xc/lib/Xpm/Imakefile
+--- xc~/lib/Xpm/Imakefile 2005-03-13 01:32:36.000000000 -0500
++++ xc/lib/Xpm/Imakefile 2005-03-13 01:34:39.000000000 -0500
@@ -42,11 +42,24 @@
SPRINTFDEF = -DVOID_SPRINTF
#endif
Reply to: