X Strike Force XFree86 SVN commit: r2145 - in trunk/debian: . patches
Author: branden
Date: 2005-01-21 13:54:49 -0500 (Fri, 21 Jan 2005)
New Revision: 2145
Modified:
trunk/debian/CHANGESETS
trunk/debian/TODO
trunk/debian/changelog
trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff
Log:
Update patch #087 (XPM library security fixes) to revert regressions in
functionality caused by overly aggressive validation of filespec strings
in OpenReadFile() and OpenWriteFile(). (Closes: #286164)
Modified: trunk/debian/CHANGESETS
===================================================================
--- trunk/debian/CHANGESETS 2005-01-21 18:10:10 UTC (rev 2144)
+++ trunk/debian/CHANGESETS 2005-01-21 18:54:49 UTC (rev 2145)
@@ -170,4 +170,9 @@
(Closes: #267503)
2142
+Update patch #087 (XPM library security fixes) to revert regressions in
+functionality caused by overly aggressive validation of filespec strings
+in OpenReadFile() and OpenWriteFile(). (Closes: #286164)
+ 2145
+
vim:set ai et sts=4 sw=4 tw=80:
Modified: trunk/debian/TODO
===================================================================
--- trunk/debian/TODO 2005-01-21 18:10:10 UTC (rev 2144)
+++ trunk/debian/TODO 2005-01-21 18:54:49 UTC (rev 2145)
@@ -17,8 +17,6 @@
4.3.0.dfsg.1-11
--------------
-* Fix regression in xpm library functionality due to misplaced and overzealous
- checking of filespec properties. (see #286164)
* Rewrite xserver-xfree86 debconfage. Joey Hess, Eduard Bloch, and David
Nusinow have provided good input.
+ udev users will have "/dev/input/mousen" -- configure that as only mouse
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-01-21 18:10:10 UTC (rev 2144)
+++ trunk/debian/changelog 2005-01-21 18:54:49 UTC (rev 2145)
@@ -134,8 +134,12 @@
versions between 4.0.1-6 and 4.2.1-10 (thanks, Brian Sammon).
(Closes: #267503)
- -- Branden Robinson <branden@debian.org> Thu, 20 Jan 2005 02:07:49 -0500
+ * Update patch #087 (XPM library security fixes) to revert regressions in
+ functionality caused by overly aggressive validation of filespec strings
+ in OpenReadFile() and OpenWriteFile(). (Closes: #286164)
+ -- Branden Robinson <branden@debian.org> Fri, 21 Jan 2005 13:52:23 -0500
+
xfree86 (4.3.0.dfsg.1-10) unstable; urgency=medium
* Upload urgency set to medium due to fix for stable-release-critical bugs
Modified: trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff 2005-01-21 18:10:10 UTC (rev 2144)
+++ trunk/debian/patches/087_SECURITY_libXpm_vulnerabilities.diff 2005-01-21 18:54:49 UTC (rev 2145)
@@ -102,8 +102,7 @@
* Set the final byte of a static character array to null after
copying another string into it with strncpy().
* When opening an image file for writing, do not open a file specification
- that is zero-length, begins or ends with '/', or has '../' anywhere
- within it.
+ that is zero-length.
* Use XDestroyImage() and XpmFree() to deallocate resources when bailing
out during certain error conditions.
* Add many comments suggesting possibilities for further code review and
@@ -113,6 +112,12 @@
vulnerabilties found during the above-mentioned source code audit are
collectively referred to as CAN-2004-0914.
+Patch updated on 2005-01-21 to revert regressions in functionality caused
+by overly aggressive validation of filespec strings in OpenReadFile() and
+OpenWriteFile(). See <URL:
+https://bugs.freedesktop.org/show_bug.cgi?id=1924 > for more information.
+(It's up to the invoking application to validate filespec strings.)
+
This patch by Matthieu Herrb and others.
diff -urN xc-old/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
@@ -764,9 +769,8 @@
ptr = (char *) XpmMalloc(len + 1);
if (!ptr) {
fclose(fp);
-diff -urN xc-old/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
---- xc-old/extras/Xpm/lib/RdFToI.c 2001-10-28 03:32:09.000000000 +0000
-+++ xc/extras/Xpm/lib/RdFToI.c 2004-11-19 10:52:29.000000000 +0000
+--- xc/extras/Xpm~/lib/RdFToI.c 2005-01-21 13:39:11.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c 2005-01-21 13:41:42.000000000 -0500
@@ -33,6 +33,8 @@
\*****************************************************************************/
/* $XFree86: xc/extras/Xpm/lib/RdFToI.c,v 1.2 2001/10/28 03:32:09 tsi Exp $ */
@@ -789,15 +793,14 @@
static int
OpenReadFile(filename, mdata)
char *filename;
-@@ -141,17 +149,21 @@
+@@ -141,17 +149,20 @@
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len = strlen(filename);
+
-+ if(len == 0 ||
-+ filename[len-1] == '/')
++ if (len == 0)
+ return(XpmOpenFailed);
if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
mdata->type = XPMPIPE;
@@ -816,7 +819,7 @@
return (XpmOpenFailed);
} else {
-@@ -159,19 +171,19 @@
+@@ -159,19 +170,19 @@
if (!(compressfile = (char *) XpmMalloc(len + 4)))
return (XpmNoMemory);
@@ -842,7 +845,7 @@
XpmFree(compressfile);
return (XpmOpenFailed);
}
-@@ -217,7 +229,7 @@
+@@ -217,7 +228,7 @@
break;
#ifndef NO_ZPIPE
case XPMPIPE:
@@ -872,9 +875,8 @@
return XpmSuccess;
}
-diff -urN xc-old/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
---- xc-old/extras/Xpm/lib/WrFFrI.c 2001-10-28 03:32:09.000000000 +0000
-+++ xc/extras/Xpm/lib/WrFFrI.c 2004-11-19 10:55:41.000000000 +0000
+--- xc/extras/Xpm~/lib/WrFFrI.c 2005-01-21 13:39:11.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c 2005-01-21 13:40:39.000000000 -0500
@@ -38,6 +38,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -934,17 +936,14 @@
static int
OpenWriteFile(filename, mdata)
char *filename;
-@@ -313,16 +324,23 @@
+@@ -313,16 +324,20 @@
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len = strlen(filename);
+
-+ if(len == 0 ||
-+ filename[0] == '/' ||
-+ strstr(filename, "../") != NULL ||
-+ filename[len-1] == '/')
++ if (len == 0)
+ return(XpmOpenFailed);
+
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
@@ -963,7 +962,7 @@
return (XpmOpenFailed);
mdata->type = XPMPIPE;
-@@ -353,7 +371,7 @@
+@@ -353,7 +368,7 @@
break;
#ifndef NO_ZPIPE
case XPMPIPE:
Reply to: