X Strike Force XFree86 SVN commit: r2157 - in branches/4.1.0/woody-proposed-updates/debian: . patches
Author: branden
Date: 2005-01-25 11:45:22 -0500 (Tue, 25 Jan 2005)
New Revision: 2157
Modified:
branches/4.1.0/woody-proposed-updates/debian/changelog
branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
Log:
Update patch #076 (XPM library security fixes) to revert regressions in
functionality caused by overly aggressive validation of filespec strings
in OpenReadFile() and OpenWriteFile(). (Fixes #286164 for woody.)
Modified: branches/4.1.0/woody-proposed-updates/debian/changelog
===================================================================
--- branches/4.1.0/woody-proposed-updates/debian/changelog 2005-01-25 16:20:17 UTC (rev 2156)
+++ branches/4.1.0/woody-proposed-updates/debian/changelog 2005-01-25 16:45:22 UTC (rev 2157)
@@ -1,3 +1,11 @@
+xfree86 (4.1.0-16woody6) stable-security; urgency=low
+
+ * Update patch #076 (XPM library security fixes) to revert regressions in
+ functionality caused by overly aggressive validation of filespec strings
+ in OpenReadFile() and OpenWriteFile(). (Fixes #286164 for woody.)
+
+ -- Branden Robinson <branden@debian.org> Tue, 25 Jan 2005 11:42:03 -0500
+
xfree86 (4.1.0-16woody5) stable-security; urgency=low
* Security update release. Resolves the following issue:
Modified: branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff
===================================================================
--- branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-01-25 16:20:17 UTC (rev 2156)
+++ branches/4.1.0/woody-proposed-updates/debian/patches/076_SECURITY_libXpm_vulnerabilities.diff 2005-01-25 16:45:22 UTC (rev 2157)
@@ -113,6 +113,12 @@
vulnerabilties found during the above-mentioned source code audit are
collectively referred to as CAN-2004-0914.
+Patch updated on 2005-01-25 to revert regressions in functionality caused
+by overly aggressive validation of filespec strings in OpenReadFile() and
+OpenWriteFile(). See <URL:
+https://bugs.freedesktop.org/show_bug.cgi?id=1924 > for more information.
+(It's up to the invoking application to validate filespec strings.)
+
This patch by Matthieu Herrb and others.
diff -urN xc~/extras/Xpm/lib/Attrib.c xc/extras/Xpm/lib/Attrib.c
@@ -765,9 +771,8 @@
ptr = (char *) XpmMalloc(len + 1);
if (!ptr) {
fclose(fp);
-diff -urN xc~/extras/Xpm/lib/RdFToI.c xc/extras/Xpm/lib/RdFToI.c
---- xc~/extras/Xpm/lib/RdFToI.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/RdFToI.c 2004-12-01 23:22:05.000000000 -0500
+--- xc/extras/Xpm/lib/RdFToI.c~ 2005-01-25 11:36:45.000000000 -0500
++++ xc/extras/Xpm/lib/RdFToI.c 2005-01-25 11:37:44.000000000 -0500
@@ -32,6 +32,8 @@
* Developed by Arnaud Le Hors *
\*****************************************************************************/
@@ -800,15 +805,14 @@
struct stat status;
# endif
#endif
-@@ -139,17 +148,21 @@
+@@ -139,17 +148,20 @@
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len = strlen(filename);
+
-+ if(len == 0 ||
-+ filename[len-1] == '/')
++ if (len == 0)
+ return(XpmOpenFailed);
if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
mdata->type = XPMPIPE;
@@ -827,7 +831,7 @@
return (XpmOpenFailed);
} else {
-@@ -157,19 +170,19 @@
+@@ -157,19 +169,19 @@
if (!(compressfile = (char *) XpmMalloc(len + 4)))
return (XpmNoMemory);
@@ -853,7 +857,7 @@
XpmFree(compressfile);
return (XpmOpenFailed);
}
-@@ -215,7 +228,7 @@
+@@ -215,7 +227,7 @@
break;
#ifndef NO_ZPIPE
case XPMPIPE:
@@ -883,9 +887,8 @@
return XpmSuccess;
}
-diff -urN xc~/extras/Xpm/lib/WrFFrI.c xc/extras/Xpm/lib/WrFFrI.c
---- xc~/extras/Xpm/lib/WrFFrI.c 2004-12-01 23:11:42.000000000 -0500
-+++ xc/extras/Xpm/lib/WrFFrI.c 2004-12-01 23:23:02.000000000 -0500
+--- xc/extras/Xpm/lib/WrFFrI.c~ 2005-01-25 11:36:08.000000000 -0500
++++ xc/extras/Xpm/lib/WrFFrI.c 2005-01-25 11:38:17.000000000 -0500
@@ -37,6 +37,8 @@
* Lorens Younes (d93-hyo@nada.kth.se) 4/96
*/
@@ -966,17 +969,14 @@
static int
OpenWriteFile(filename, mdata)
char *filename;
-@@ -312,16 +323,23 @@
+@@ -312,16 +323,20 @@
mdata->type = XPMFILE;
} else {
#ifndef NO_ZPIPE
- int len = strlen(filename);
+ size_t len = strlen(filename);
+
-+ if(len == 0 ||
-+ filename[0] == '/' ||
-+ strstr(filename, "../") != NULL ||
-+ filename[len-1] == '/')
++ if (len == 0)
+ return(XpmOpenFailed);
+
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
@@ -995,7 +995,7 @@
return (XpmOpenFailed);
mdata->type = XPMPIPE;
-@@ -352,7 +370,7 @@
+@@ -352,7 +367,7 @@
break;
#ifndef NO_ZPIPE
case XPMPIPE:
Reply to: