X Strike Force XFree86 SVN commit: r2291 - in branches/4.1.0/woody/debian: . patches
Author: fjp
Date: 2005-08-27 14:49:27 -0500 (Sat, 27 Aug 2005)
New Revision: 2291
Removed:
branches/4.1.0/woody/debian/patches/077_SECURITY_more_libXpm_vulnerabilities.diff
Modified:
branches/4.1.0/woody/debian/changelog
branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
Log:
* Replace s_popen()-based fix for CAN-2004-0914 with a better fix from
freedesktop.org xorg CVS. There were several problems with s_popen(),
some merely functional, and some themselves security-flawed.
* Remove the now empty 077_SECURITY_more_libXpm_vulnerabilities.diff
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2005-08-27 15:27:34 UTC (rev 2290)
+++ branches/4.1.0/woody/debian/changelog 2005-08-27 19:49:27 UTC (rev 2291)
@@ -1,3 +1,20 @@
+xfree86 (4.1.0-16woody7) UNRELEASED; urgency=high
+
+ * Replace s_popen()-based fix for CAN-2004-0914 with a better fix from
+ freedesktop.org xorg CVS. There were several problems with s_popen(),
+ some merely functional, and some themselves security-flawed. There does
+ not appear to be a MITRE CVE candidate ID for this problem. The only
+ differences between the Xpm library code in this package release and that
+ in freedesktop.org xorg CVS HEAD as of 2005-05-26 are 1) whitespace
+ differences; 2) RCS keyword differences; 3) preprocessor directives to
+ support autotoolization of the library; 4) support for pre-ANSI C
+ compilers in function declarations; 5) removal of some dead code in
+ create.c; and 6) preprocessor-enforced ignorance of PutPixel32() on 64-bit
+ systems (whose implementation was already disabled on 64-bit systems).
+ (Closes: #309143)
+
+ -- Frans Pop <fjp@debian.org> Sat, 27 Aug 2005 21:26:35 +0200
+
xfree86 (4.1.0-16woody6) stable-security; urgency=high
* Security update release. Resolves the following issue:
Modified: branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-08-27 15:27:34 UTC (rev 2290)
+++ branches/4.1.0/woody/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-08-27 19:49:27 UTC (rev 2291)
@@ -138,11 +138,48 @@
( https://bugs.freedesktop.org/show_bug.cgi?id=1920 )
-This patch by Matthieu Herrb and others.
+Patch updated on 2005-05-25 to replace s_popen()-based fix for
+CAN-2004-0914 with a better fix from X.Org CVS HEAD. There were several
+problems with s_popen(), some merely functional, and some themselves
+security-flawed. There does not appear to be a MITRE CVE candidate ID for
+this problem. Quoting Matej Vela:
-diff -urN xc~/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
---- xc~/extras/Xpm/lib/Attrib.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/Attrib.c 2005-03-10 15:39:08.000000000 -0500
+ The CAN-2004-0914 patch introduced a s_popen() function as a safe
+ replacement for popen(). Instead of invoking a shell, it splits
+ arguments on whitespace and passes the command directly to execvp(3).
+ However, it doesn't handle quoting or redirection, so code like
+
+ WrFFrI.c:339: snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
+ WrFFrI.c:340: if (!(mdata->stream.file = s_popen(buf, "w")))
+
+ results in a ">" argument and superfluous quotes:
+
+ execve("/bin/gzip", ["gzip", ">", "\"foo.gz\""], [/* 19 vars */])
+
+ This completely breaks the transparent compression and decompression.
+
+ Furthermore, since gzip processes all arguments regardless of errors, an
+ attacker can use filenames with whitespace to compress arbitrary files:
+ (xpmtest taken from <https://bugs.freedesktop.org/show_bug.cgi?id=1920>)
+
+ # ./xpmtest crab.xpm 'fnord -v /etc/hosts.deny fnord.gz'
+ w=28, h=28, cpp=2, cols=6, vmask=00000000, hotspot=0,0
+ gzip: >: No such file or directory
+ gzip: "fnord: No such file or directory
+ /etc/hosts.deny: -50.0% -- replaced with /etc/hosts.deny.gz
+ gzip: fnord.gz": No such file or directory
+
+ The above would effectively disable TCP wrappers. The -r option can be
+ used to compress whole directory trees.
+
+ s_popen() also has issues with error handling, signals, and runaway child
+ processes.
+
+This patch by Matthieu Herrb, Alex Reisen, and others.
+
+diff -ru xc~/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
+--- xc~/extras/Xpm/lib/Attrib.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/Attrib.c 2005-08-27 20:39:29.858126342 +0200
@@ -32,13 +32,15 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -199,9 +236,9 @@
for (i = 0, ext = extensions; i < nextensions; i++, ext++) {
if (ext->name)
XpmFree(ext->name);
-diff -urN xc~/extras/Xpm/lib/CrBufFrI.c xc/extras/Xpm/lib/CrBufFrI.c
---- xc~/extras/Xpm/lib/CrBufFrI.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/CrBufFrI.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/CrBufFrI.c xc/extras/Xpm/lib/CrBufFrI.c
+--- xc~/extras/Xpm/lib/CrBufFrI.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/CrBufFrI.c 2005-08-27 20:39:29.860126055 +0200
@@ -32,21 +32,25 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -506,9 +543,9 @@
if (info->hints_cmt)
size += 5 + strlen(info->hints_cmt);
-diff -urN xc~/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/CrDatFrI.c
---- xc~/extras/Xpm/lib/CrDatFrI.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/CrDatFrI.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/CrDatFrI.c xc/extras/Xpm/lib/CrDatFrI.c
+--- xc~/extras/Xpm/lib/CrDatFrI.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/CrDatFrI.c 2005-08-27 20:39:29.884122612 +0200
@@ -32,13 +32,16 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -738,30 +775,9 @@
for (y = 0, line = ext->lines; y < b; y++, line++) {
strcpy(*dataptr, *line);
a++;
-diff -urN xc~/extras/Xpm/lib/Imakefile xc/extras/Xpm/lib/Imakefile
---- xc~/extras/Xpm/lib/Imakefile 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/Imakefile 2005-03-10 15:39:08.000000000 -0500
-@@ -104,13 +104,15 @@
- CrBufFrI.c CrDatFrP.c CrPFrBuf.c RdFToI.c WrFFrI.c \
- CrBufFrP.c CrIFrBuf.c CrPFrDat.c RdFToP.c WrFFrP.c \
- CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
-- Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c
-+ Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
-+ s_popen.c
-
- OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
- CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
- CrBufFrP.o CrIFrBuf.o CrPFrDat.o RdFToP.o WrFFrP.o \
- CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
-- Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o
-+ Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
-+ s_popen.o
-
- INCLUDES = -I.
- LINTLIBS = $(LINTXTOLL) $(LINTXLIB)
-diff -urN xc~/extras/Xpm/lib/RdFToBuf.c xc/extras/Xpm/lib/RdFToBuf.c
---- xc~/extras/Xpm/lib/RdFToBuf.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToBuf.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/RdFToBuf.c xc/extras/Xpm/lib/RdFToBuf.c
+--- xc~/extras/Xpm/lib/RdFToBuf.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/RdFToBuf.c 2005-08-27 20:39:29.886122325 +0200
@@ -37,6 +37,8 @@
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
@@ -790,104 +806,239 @@
ptr = (char *) XpmMalloc(len + 1);
if (!ptr) {
fclose(fp);
---- xc/extras/Xpm/lib/RdFToI.c~ 2005-01-25 11:36:45.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c 2005-01-25 11:37:44.000000000 -0500
-@@ -32,6 +32,8 @@
+diff -ru xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
+--- xc~/extras/Xpm/lib/RdFToI.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/RdFToI.c 2005-08-27 20:40:41.261881449 +0200
+@@ -32,16 +32,14 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+
#include "XpmI.h"
- #include <sys/stat.h>
- #if !defined(NO_ZPIPE) && defined(WIN32)
-@@ -122,14 +124,21 @@
+-#include <sys/stat.h>
+-#if !defined(NO_ZPIPE) && defined(WIN32)
+-# define popen _popen
+-# define pclose _pclose
+-# if defined(STAT_ZFILE)
+-# include <io.h>
+-# define stat _stat
+-# define fstat _fstat
+-# endif
++#ifndef NO_ZPIPE
++#include <fcntl.h>
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/wait.h>
+ #endif
+
+ LFUNC(OpenReadFile, int, (char *filename, xpmData *mdata));
+@@ -119,6 +117,67 @@
+ }
+ #endif /* CXPMPROG */
+
++#ifndef NO_ZPIPE
++/* Do not depend on errno after read_through */
++FILE*
++xpmPipeThrough(fd, cmd, arg1, mode)
++ int fd;
++ const char* cmd;
++ const char* arg1;
++ const char* mode;
++{
++ FILE* fp;
++ int status, fds[2], in = 0, out = 1;
++ pid_t pid;
++ if ( 'w' == *mode )
++ out = 0, in = 1;
++ if ( pipe(fds) < 0 )
++ return NULL;
++ pid = fork();
++ if ( pid < 0 )
++ goto fail1;
++ if ( 0 == pid )
++ {
++ close(fds[in]);
++ if ( dup2(fds[out], out) < 0 )
++ goto err;
++ close(fds[out]);
++ if ( dup2(fd, in) < 0 )
++ goto err;
++ close(fd);
++ pid = fork();
++ if ( pid < 0 )
++ goto err;
++ if ( 0 == pid )
++ {
++ execlp(cmd, cmd, arg1, NULL);
++ perror(cmd);
++ goto err;
++ }
++ _exit(0);
++ err:
++ _exit(1);
++ }
++ close(fds[out]);
++ /* calling process: wait for first child */
++ while ( waitpid(pid, &status, 0) < 0 && EINTR == errno )
++ ;
++ if ( WIFSIGNALED(status) ||
++ (WIFEXITED(status) && WEXITSTATUS(status) != 0) )
++ goto fail2;
++ fp = fdopen(fds[in], mode);
++ if ( !fp )
++ goto fail2;
++ close(fd); /* still open in 2nd child */
++ return fp;
++fail1:
++ close(fds[out]);
++fail2:
++ close(fds[in]);
++ return NULL;
++}
++#endif
++
/*
* open the given file to be read as an xpmData which is returned.
*/
-+#ifndef NO_ZPIPE
-+ FILE *s_popen(char *cmd, const char *type);
-+#else
-+# define s_popen popen
-+#endif
-+
- static int
- OpenReadFile(filename, mdata)
+@@ -127,71 +186,62 @@
char *filename;
xpmData *mdata;
{
- #ifndef NO_ZPIPE
+-#ifndef NO_ZPIPE
- char *compressfile, buf[BUFSIZ];
-+ char buf[BUFSIZ];
- # ifdef STAT_ZFILE
-+ char *compressfile;
- struct stat status;
- # endif
- #endif
-@@ -139,17 +148,20 @@
+-# ifdef STAT_ZFILE
+- struct stat status;
+-# endif
+-#endif
+-
+ if (!filename) {
+ mdata->stream.file = (stdin);
mdata->type = XPMFILE;
} else {
- #ifndef NO_ZPIPE
+-#ifndef NO_ZPIPE
- int len = strlen(filename);
-+ size_t len = strlen(filename);
-+
-+ if (len == 0)
-+ return(XpmOpenFailed);
- if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
- mdata->type = XPMPIPE;
+- if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
+- mdata->type = XPMPIPE;
- sprintf(buf, "uncompress -c \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "r")))
-+ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", filename);
-+ if (!(mdata->stream.file = s_popen(buf, "r")))
- return (XpmOpenFailed);
-
- } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
- mdata->type = XPMPIPE;
+- return (XpmOpenFailed);
+-
+- } else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
+- mdata->type = XPMPIPE;
- sprintf(buf, "gunzip -qc \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "r")))
-+ snprintf(buf, sizeof(buf), "gunzip -qc \"%s\"", filename);
-+ if (!(mdata->stream.file = s_popen(buf, "r")))
- return (XpmOpenFailed);
-
- } else {
-@@ -157,19 +169,19 @@
- if (!(compressfile = (char *) XpmMalloc(len + 4)))
+- return (XpmOpenFailed);
+-
+- } else {
+-# ifdef STAT_ZFILE
+- if (!(compressfile = (char *) XpmMalloc(len + 4)))
++ int fd = open(filename, O_RDONLY);
++#if defined(NO_ZPIPE)
++ if ( fd < 0 )
++ return XpmOpenFailed;
++#else
++ const char* ext = NULL;
++ if ( fd >= 0 )
++ ext = strrchr(filename, '.');
++#ifdef STAT_ZFILE /* searching for z-files if the given name not found */
++ else
++ {
++ size_t len = strlen(filename);
++ char *compressfile = (char *) XpmMalloc(len + 4);
++ if ( !compressfile )
return (XpmNoMemory);
-
+-
- sprintf(compressfile, "%s.Z", filename);
-+ snprintf(compressfile, len+4, "%s.Z", filename);
- if (!stat(compressfile, &status)) {
+- if (!stat(compressfile, &status)) {
- sprintf(buf, "uncompress -c \"%s\"", compressfile);
- if (!(mdata->stream.file = popen(buf, "r"))) {
-+ snprintf(buf, sizeof(buf), "uncompress -c \"%s\"", compressfile);
-+ if (!(mdata->stream.file = s_popen(buf, "r"))) {
++ strcpy(compressfile, filename);
++ strcpy(compressfile + len, ext = ".Z");
++ fd = open(compressfile, O_RDONLY);
++ if ( fd < 0 )
++ {
++ strcpy(compressfile + len, ext = ".gz");
++ fd = open(compressfile, O_RDONLY);
++ if ( fd < 0 )
++ {
XpmFree(compressfile);
- return (XpmOpenFailed);
- }
- mdata->type = XPMPIPE;
- } else {
+- return (XpmOpenFailed);
+- }
+- mdata->type = XPMPIPE;
+- } else {
- sprintf(compressfile, "%s.gz", filename);
-+ snprintf(compressfile, len+4, "%s.gz", filename);
- if (!stat(compressfile, &status)) {
+- if (!stat(compressfile, &status)) {
- sprintf(buf, "gunzip -c \"%s\"", compressfile);
- if (!(mdata->stream.file = popen(buf, "r"))) {
-+ snprintf(buf, sizeof(buf), "gunzip -c \"%s\"", compressfile);
-+ if (!(mdata->stream.file = s_popen(buf, "r"))) {
- XpmFree(compressfile);
- return (XpmOpenFailed);
- }
-@@ -215,7 +227,7 @@
- break;
- #ifndef NO_ZPIPE
- case XPMPIPE:
+- XpmFree(compressfile);
+- return (XpmOpenFailed);
+- }
+- mdata->type = XPMPIPE;
+- } else {
+-# endif
+-#endif
+- if (!(mdata->stream.file = fopen(filename, "r"))) {
+-#if !defined(NO_ZPIPE) && defined(STAT_ZFILE)
+- XpmFree(compressfile);
+-#endif
+- return (XpmOpenFailed);
+- }
+- mdata->type = XPMFILE;
+-#ifndef NO_ZPIPE
+-# ifdef STAT_ZFILE
++ return XpmOpenFailed;
+ }
+ }
+ XpmFree(compressfile);
+-# endif
+ }
+ #endif
++ if ( ext && !strcmp(ext, ".Z") )
++ {
++ mdata->type = XPMPIPE;
++ mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
++ }
++ else if ( ext && !strcmp(ext, ".gz") )
++ {
++ mdata->type = XPMPIPE;
++ mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
++ }
++ else
++#endif /* z-files */
++ {
++ mdata->type = XPMFILE;
++ mdata->stream.file = fdopen(fd, "r");
++ }
++ if (!mdata->stream.file)
++ {
++ close(fd);
++ return (XpmOpenFailed);
++ }
+ }
+ mdata->CommentLength = 0;
+ #ifdef CXPMPROG
+@@ -208,15 +258,6 @@
+ xpmDataClose(mdata)
+ xpmData *mdata;
+ {
+- switch (mdata->type) {
+- case XPMFILE:
+- if (mdata->stream.file != (stdin))
+- fclose(mdata->stream.file);
+- break;
+-#ifndef NO_ZPIPE
+- case XPMPIPE:
- pclose(mdata->stream.file);
+- break;
+-#endif
+- }
++ if (mdata->stream.file != (stdin))
+ fclose(mdata->stream.file);
- break;
- #endif
- }
-diff -urN xc~/extras/Xpm/lib/WrFFrBuf.c xc/extras/Xpm/lib/WrFFrBuf.c
---- xc~/extras/Xpm/lib/WrFFrBuf.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrBuf.c 2005-03-10 15:39:08.000000000 -0500
+ }
+diff -ru xc~/extras/Xpm/lib/WrFFrBuf.c xc/extras/Xpm/lib/WrFFrBuf.c
+--- xc~/extras/Xpm/lib/WrFFrBuf.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/WrFFrBuf.c 2005-08-27 20:39:29.888122038 +0200
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -906,18 +1057,27 @@
return XpmSuccess;
}
---- xc/extras/Xpm/lib/WrFFrI.c~ 2005-01-25 11:36:08.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c 2005-01-25 11:38:17.000000000 -0500
-@@ -37,6 +37,8 @@
- * Lorens Younes (d93-hyo@nada.kth.se) 4/96
+diff -ru xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
+--- xc~/extras/Xpm/lib/WrFFrI.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/WrFFrI.c 2005-08-27 20:40:41.261881449 +0200
+@@ -38,9 +38,13 @@
*/
-+/* October 2004, source code review by Thomas Biege <thomas@suse.de> */
+ #include "XpmI.h"
+-#if !defined(NO_ZPIPE) && defined(WIN32)
+-# define popen _popen
+-# define pclose _pclose
+
- #include "XpmI.h"
- #if !defined(NO_ZPIPE) && defined(WIN32)
- # define popen _popen
-@@ -97,7 +99,7 @@
++#ifndef NO_ZPIPE
++#include "sys/wait.h"
++#include "sys/types.h"
++#include "fcntl.h"
++#include "unistd.h"
++#include "errno.h"
+ #endif
+
+ /* MS Windows define a function called WriteFile @#%#&!!! */
+@@ -97,7 +101,7 @@
XpmInfo *info;
{
xpmData mdata;
@@ -926,7 +1086,7 @@
int ErrorStatus;
/* open file to write */
-@@ -119,23 +121,25 @@
+@@ -119,23 +123,24 @@
name++;
#endif
/* let's try to make a valid C syntax name */
@@ -934,7 +1094,7 @@
- strcpy(new_name, name);
+ if (index(name, '.')) {
+ strncpy(new_name, name, sizeof(new_name));
-+ new_name[sizeof(new_name)-1] = 0;
++ new_name[sizeof(new_name)-1] = '\0';
/* change '.' to '_' */
name = s = new_name;
- while (dot = index(s, '.')) {
@@ -946,9 +1106,7 @@
- if (dot = index(name, '-')) {
+ if (index(name, '-')) {
if (name != new_name) {
-- strcpy(new_name, name);
-+ strncpy(new_name, name, sizeof(new_name));
-+ new_name[sizeof(new_name)-1] = 0;
+ strcpy(new_name, name);
name = new_name;
}
/* change '-' to '_' */
@@ -958,7 +1116,7 @@
*dot = '_';
s = dot;
}
-@@ -226,7 +230,7 @@
+@@ -226,7 +231,7 @@
fprintf(file, "\"%s", *defaults++);
for (key = 1; key <= NKEYS; key++, defaults++) {
@@ -967,65 +1125,105 @@
fprintf(file, "\t%s %s", xpmColorKeys[key - 1], s);
}
fprintf(file, "\",\n");
-@@ -247,6 +251,8 @@
+@@ -247,6 +252,8 @@
unsigned int x, y, h;
h = height - 1;
-+ if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
++ if (cpp != 0 && width >= (UINT_MAX - 3)/cpp)
+ return XpmNoMemory;
p = buf = (char *) XpmMalloc(width * cpp + 3);
if (!buf)
return (XpmNoMemory);
-@@ -297,6 +303,11 @@
+@@ -294,6 +301,14 @@
+ fprintf(file, ",\n\"XPMENDEXT\"");
+ }
+
++
++#ifndef NO_ZPIPE
++FUNC(xpmPipeThrough, FILE*, (int fd,
++ const char* cmd,
++ const char* arg1,
++ const char* mode));
++#endif
++
/*
* open the given file to be written as an xpmData which is returned
*/
-+#ifndef NO_ZPIPE
-+ FILE *s_popen(char *cmd, const char *type);
-+#else
-+# define s_popen popen
-+#endif
- static int
- OpenWriteFile(filename, mdata)
+@@ -302,38 +317,32 @@
char *filename;
-@@ -312,16 +323,20 @@
+ xpmData *mdata;
+ {
+-#ifndef NO_ZPIPE
+- char buf[BUFSIZ];
+-
+-#endif
+-
+ if (!filename) {
+ mdata->stream.file = (stdout);
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
-+ size_t len = strlen(filename);
-+
-+ if (len == 0)
-+ return(XpmOpenFailed);
-+
++ size_t len;
++#endif
++ int fd = open(filename, O_WRONLY|O_CREAT|O_TRUNC, 0644);
++ if ( fd < 0 )
++ return(XpmOpenFailed);
++#ifndef NO_ZPIPE
++ len = strlen(filename);
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
- sprintf(buf, "compress > \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "w")))
-+ snprintf(buf, sizeof(buf), "compress > \"%s\"", filename);
-+ if (!(mdata->stream.file = s_popen(buf, "w")))
- return (XpmOpenFailed);
-
+- return (XpmOpenFailed);
+-
++ mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
mdata->type = XPMPIPE;
} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
- sprintf(buf, "gzip -q > \"%s\"", filename);
- if (!(mdata->stream.file = popen(buf, "w")))
-+ snprintf(buf, sizeof(buf), "gzip -q > \"%s\"", filename);
-+ if (!(mdata->stream.file = s_popen(buf, "w")))
- return (XpmOpenFailed);
-
+- return (XpmOpenFailed);
+-
++ mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
mdata->type = XPMPIPE;
-@@ -352,7 +367,7 @@
- break;
- #ifndef NO_ZPIPE
- case XPMPIPE:
+- } else {
++ } else
+ #endif
+- if (!(mdata->stream.file = fopen(filename, "w")))
+- return (XpmOpenFailed);
+-
++ {
++ mdata->stream.file = fdopen(fd, "w");
+ mdata->type = XPMFILE;
+-#ifndef NO_ZPIPE
+ }
+-#endif
++ if (!mdata->stream.file)
++ return (XpmOpenFailed);
+ }
+ return (XpmSuccess);
+ }
+@@ -345,15 +354,7 @@
+ xpmDataClose(mdata)
+ xpmData *mdata;
+ {
+- switch (mdata->type) {
+- case XPMFILE:
+- if (mdata->stream.file != (stdout))
+- fclose(mdata->stream.file);
+- break;
+-#ifndef NO_ZPIPE
+- case XPMPIPE:
- pclose(mdata->stream.file);
+- break;
+-#endif
+- }
++ if (mdata->stream.file != (stdout))
+ fclose(mdata->stream.file);
- break;
- #endif
- }
-diff -urN xc~/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/XpmI.h
---- xc~/extras/Xpm/lib/XpmI.h 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/XpmI.h 2005-03-10 15:39:08.000000000 -0500
+ }
++
+diff -ru xc~/extras/Xpm/lib/XpmI.h xc/extras/Xpm/lib/XpmI.h
+--- xc~/extras/Xpm/lib/XpmI.h 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/XpmI.h 2005-08-27 20:39:29.890121751 +0200
@@ -49,6 +49,7 @@
* lets try to solve include files
*/
@@ -1066,9 +1264,9 @@
xpmHashAtom *atomTable;
} xpmHashTable;
-diff -urN xc~/extras/Xpm/lib/create.c xc/extras/Xpm/lib/create.c
---- xc~/extras/Xpm/lib/create.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/create.c 2005-03-10 15:43:18.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/create.c xc/extras/Xpm/lib/create.c
+--- xc~/extras/Xpm/lib/create.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/create.c 2005-08-27 20:39:29.895121034 +0200
@@ -43,6 +43,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -1470,9 +1668,9 @@
buf[cpp] = '\0';
if (USE_HASHTABLE) {
xpmHashAtom *slot;
-diff -urN xc~/extras/Xpm/lib/data.c xc/extras/Xpm/lib/data.c
---- xc~/extras/Xpm/lib/data.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/data.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/data.c xc/extras/Xpm/lib/data.c
+--- xc~/extras/Xpm/lib/data.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/data.c 2005-08-27 20:39:29.896120890 +0200
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -1522,9 +1720,9 @@
int l, n = 0;
if (data->type) {
-diff -urN xc~/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/hashtab.c
---- xc~/extras/Xpm/lib/hashtab.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/hashtab.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/hashtab.c xc/extras/Xpm/lib/hashtab.c
+--- xc~/extras/Xpm/lib/hashtab.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/hashtab.c 2005-08-27 20:39:29.904119743 +0200
@@ -135,15 +135,17 @@
xpmHashTable *table;
{
@@ -1554,9 +1752,9 @@
atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
if (!atomTable)
return (XpmNoMemory);
-diff -urN xc~/extras/Xpm/lib/misc.c xc/extras/Xpm/lib/misc.c
---- xc~/extras/Xpm/lib/misc.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/misc.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/misc.c xc/extras/Xpm/lib/misc.c
+--- xc~/extras/Xpm/lib/misc.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/misc.c 2005-08-27 20:39:29.905119599 +0200
@@ -44,7 +44,7 @@
char *s1;
{
@@ -1566,9 +1764,9 @@
if (s2 = (char *) XpmMalloc(l))
strcpy(s2, s1);
-diff -urN xc~/extras/Xpm/lib/parse.c xc/extras/Xpm/lib/parse.c
---- xc~/extras/Xpm/lib/parse.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/parse.c 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/parse.c xc/extras/Xpm/lib/parse.c
+--- xc~/extras/Xpm/lib/parse.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/parse.c 2005-08-27 20:39:29.907119312 +0200
@@ -39,10 +39,30 @@
* HeDu (hedu@cul-ipn.uni-kiel.de) 4/94
*/
@@ -1864,194 +2062,9 @@
/*
* store found informations in the XpmImage structure
-diff -urN xc~/extras/Xpm/lib/s_popen.c xc/extras/Xpm/lib/s_popen.c
---- xc~/extras/Xpm/lib/s_popen.c 1969-12-31 19:00:00.000000000 -0500
-+++ xc/extras/Xpm/lib/s_popen.c 2005-03-10 15:39:08.000000000 -0500
-@@ -0,0 +1,181 @@
-+/*
-+ * Copyright (C) 2004 The X.Org fundation
-+ *
-+ * Permission is hereby granted, free of charge, to any person
-+ * obtaining a copy of this software and associated documentation
-+ * files (the "Software"), to deal in the Software without
-+ * restriction, including without limitation the rights to use, copy,
-+ * modify, merge, publish, distribute, sublicense, and/or sell copies
-+ * of the Software, and to permit persons to whom the Software is fur-
-+ * nished to do so, subject to the following conditions:
-+ *
-+ * The above copyright notice and this permission notice shall be
-+ * included in all copies or substantial portions of the Software.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-+ * NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR
-+ * ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
-+ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-+ *
-+ * Except as contained in this notice, the name of the X.Org fundation
-+ * shall not be used in advertising or otherwise to promote the sale,
-+ * use or other dealings in this Software without prior written
-+ * authorization from the X.Org fundation.
-+ */
-+
-+/*
-+** This is a secure but NOT 100% compatible replacement for popen()
-+** Note: - don't use pclose() use fclose() for closing the returned
-+** filedesc.!!!
-+**
-+** Known Bugs: - unable to use i/o-redirection like > or <
-+** Author: - Thomas Biege <thomas@suse.de>
-+** Credits: - Andreas Pfaller <a.pfaller@pop.gun.de> for fixing a SEGV when
-+** calling strtok()
-+*/
-+
-+#include <sys/types.h>
-+#include <sys/wait.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <string.h>
-+
-+#define __SEC_POPEN_TOKEN " "
-+
-+FILE *s_popen(char *cmd, const char *type)
-+{
-+ pid_t pid;
-+ int pfd[2];
-+ int rpipe = 0, wpipe = 0, i;
-+ char **argv;
-+ char *ptr;
-+ char *cmdcpy;
-+
-+
-+ if(cmd == NULL || cmd == "")
-+ return(NULL);
-+
-+ if(type[0] != 'r' && type[0] != 'w')
-+ return(NULL);
-+
-+ if ((cmdcpy = strdup(cmd)) == NULL)
-+ return(NULL);
-+
-+ argv = NULL;
-+ if( (ptr = strtok(cmdcpy, __SEC_POPEN_TOKEN)) == NULL)
-+ {
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+
-+ for(i = 0;; i++)
-+ {
-+ if( ( argv = (char **) realloc(argv, (i+1) * sizeof(char *)) ) == NULL)
-+ {
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+
-+ if( (*(argv+i) = (char *) malloc((strlen(ptr)+1) * sizeof(char))) == NULL)
-+ {
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+
-+ strcpy(argv[i], ptr);
-+
-+ if( (ptr = strtok(NULL, __SEC_POPEN_TOKEN)) == NULL)
-+ {
-+ if( ( argv = (char **) realloc(argv, (i+2) * sizeof(char *))) == NULL)
-+ {
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+ argv[i+1] = NULL;
-+ break;
-+ }
-+ }
-+
-+
-+ if(type[0] == 'r')
-+ rpipe = 1;
-+ else
-+ wpipe = 1;
-+
-+ if (pipe(pfd) < 0)
-+ {
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+
-+ if((pid = fork()) < 0)
-+ {
-+ close(pfd[0]);
-+ close(pfd[1]);
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+
-+ if(pid == 0) /* child */
-+ {
-+ if((pid = fork()) < 0)
-+ {
-+ close(pfd[0]);
-+ close(pfd[1]);
-+ free(cmdcpy);
-+ return(NULL);
-+ }
-+ if(pid > 0)
-+ {
-+ exit(0); /* child nr. 1 exits */
-+ }
-+
-+ /* child nr. 2 */
-+ if(rpipe)
-+ {
-+ close(pfd[0]); /* close reading end, we don't need it */
-+ dup2(STDOUT_FILENO, STDERR_FILENO);
-+ if (pfd[1] != STDOUT_FILENO)
-+ dup2(pfd[1], STDOUT_FILENO); /* redirect stdout to writing end of pipe */
-+ }
-+ else
-+ {
-+ close(pfd[1]); /* close writing end, we don't need it */
-+ if (pfd[0] != STDIN_FILENO)
-+ dup2(pfd[0], STDIN_FILENO); /* redirect stdin to reading end of pipe */
-+ }
-+
-+ if(strchr(argv[0], '/') == NULL)
-+ execvp(argv[0], argv); /* search in $PATH */
-+ else
-+ execv(argv[0], argv);
-+
-+ close(pfd[0]);
-+ close(pfd[1]);
-+ free(cmdcpy);
-+ return(NULL); /* exec failed.. ooops! */
-+ }
-+ else /* parent */
-+ {
-+ waitpid(pid, NULL, 0); /* wait for child nr. 1 */
-+
-+ if(rpipe)
-+ {
-+ close(pfd[1]);
-+ free(cmdcpy);
-+ return(fdopen(pfd[0], "r"));
-+ }
-+ else
-+ {
-+ close(pfd[0]);
-+ free(cmdcpy);
-+ return(fdopen(pfd[1], "w"));
-+ }
-+
-+ }
-+}
-+
-diff -urN xc~/extras/Xpm/lib/scan.c xc/extras/Xpm/lib/scan.c
---- xc~/extras/Xpm/lib/scan.c 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/scan.c 2005-03-10 15:43:18.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/scan.c xc/extras/Xpm/lib/scan.c
+--- xc~/extras/Xpm/lib/scan.c 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/scan.c 2005-08-27 20:39:29.910118882 +0200
@@ -42,6 +42,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -2305,9 +2318,9 @@
}
#undef CLEAN_UP
-diff -urN xc~/extras/Xpm/lib/xpm.h xc/extras/Xpm/lib/xpm.h
---- xc~/extras/Xpm/lib/xpm.h 2005-03-10 15:38:09.000000000 -0500
-+++ xc/extras/Xpm/lib/xpm.h 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/extras/Xpm/lib/xpm.h xc/extras/Xpm/lib/xpm.h
+--- xc~/extras/Xpm/lib/xpm.h 2005-08-27 20:38:39.000000000 +0200
++++ xc/extras/Xpm/lib/xpm.h 2005-08-27 20:39:29.938114865 +0200
@@ -392,7 +392,7 @@
FUNC(XpmReadFileToData, int, (char *filename, char ***data_return));
FUNC(XpmWriteFileFromData, int, (char *filename, char **data));
@@ -2326,9 +2339,9 @@
/* XpmImage functions */
FUNC(XpmReadFileToXpmImage, int, (char *filename,
-diff -urN xc~/lib/Xpm/Imakefile xc/lib/Xpm/Imakefile
---- xc~/lib/Xpm/Imakefile 2005-03-10 15:38:09.000000000 -0500
-+++ xc/lib/Xpm/Imakefile 2005-03-10 15:39:08.000000000 -0500
+diff -ru xc~/lib/Xpm/Imakefile xc/lib/Xpm/Imakefile
+--- xc~/lib/Xpm/Imakefile 2005-08-27 20:38:55.000000000 +0200
++++ xc/lib/Xpm/Imakefile 2005-08-27 20:40:41.000000000 +0200
@@ -42,11 +42,24 @@
SPRINTFDEF = -DVOID_SPRINTF
#endif
@@ -2361,7 +2374,7 @@
CrDatFrI.c CrIFrDat.c RdFToDat.c WrFFrDat.c \
- Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c
+ Attrib.c CrIFrP.c CrPFrI.c Image.c Info.c RdFToBuf.c WrFFrBuf.c \
-+ s_popen.c $(SNPRINTFSRCS)
++ $(SNPRINTFSRCS)
OBJS = data.o create.o misc.o rgb.o scan.o parse.o hashtab.o \
CrBufFrI.o CrDatFrP.o CrPFrBuf.o RdFToI.o WrFFrI.o \
@@ -2369,18 +2382,16 @@
CrDatFrI.o CrIFrDat.o RdFToDat.o WrFFrDat.o \
- Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o
+ Attrib.o CrIFrP.o CrPFrI.o Image.o Info.o RdFToBuf.o WrFFrBuf.o \
-+ s_popen.o $(SNPRINTFOBJS)
++ $(SNPRINTFOBJS)
XPMDIR = $(TOP)/extras/Xpm
XPMLIBDIR = $(TOP)/extras/Xpm/lib
-@@ -99,5 +114,10 @@
- LinkSourceFile(RdFToBuf.c,$(XPMLIBDIR))
+@@ -100,4 +115,8 @@
LinkSourceFile(WrFFrBuf.c,$(XPMLIBDIR))
LinkSourceFile(xpm.h,$(XPMLIBDIR))
-+LinkSourceFile(s_popen.c,$(XPMLIBDIR))
-+
+
+#if !HasSnprintf
+LinkSourceFile(snprintf.c,$(LIBSRC)/misc)
+#endif
-
++
DependTarget()
Deleted: branches/4.1.0/woody/debian/patches/077_SECURITY_more_libXpm_vulnerabilities.diff
===================================================================
Reply to: