libXpm: Changes to 'master'

GitLab Mirror gitlab-mirror at kemper.freedesktop.org
Tue Jan 17 16:11:52 UTC 2023 

 README.md                                   |   12 +++++++++
 configure.ac                                |   15 ++++++++++-
 src/RdFToI.c                                |   17 ++++++++++--
 src/WrFFrI.c                                |    4 +--
 src/create.c                                |    6 +++-
 src/data.c                                  |   24 +++++++++++++-----
 src/parse.c                                 |   31 ++++++++++++++++++++---
 test/Makefile.am                            |    3 ++
 test/pixmaps/README.md                      |    6 ++++
 test/pixmaps/invalid/unending-comment-c.xpm |   30 ++++++++++++++++++++++
 test/pixmaps/invalid/zero-width-v1.xpm      |   37 ++++++++++++++++++++++++++++
 test/pixmaps/invalid/zero-width.xpm         |   35 ++++++++++++++++++++++++++
 12 files changed, 203 insertions(+), 17 deletions(-)

New commits:
commit 8178eb0834d82242e1edbc7d4fb0d1b397569c68
Author: Peter Hutterer <peter.hutterer at who-t.net>
Date:   Mon Jan 16 19:44:52 2023 +1000

    Use gzip -d instead of gunzip
    
    GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
    /usr/bin/gunzip with the correct built-in path, the actual gzip call
    will use whichever gzip it finds first, making our patch pointless.
    
    Fix this by explicitly calling gzip -d instead.
    
    https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
    
    [Part of the fix for CVE-2022-4883]
    Signed-off-by: Peter Hutterer <peter.hutterer at who-t.net>

commit c5ab17bcc34914c0b0707d2135dbebe9a367c5f0
Author: Matthieu Herrb <matthieu at herrb.eu>
Date:   Thu Jan 12 15:05:39 2023 +1000

    Prevent a double free in the error code path
    
    xpmParseDataAndCreate() calls XDestroyImage() in the error path.
    Reproducible with sxpm "zero-width.xpm", that file is in the test/
    directory.
    
    The same approach is needed in the bytes_per_line == 0 condition though
    here it just plugs a memory leak.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 515294bb8023a45ff916696d0a14308ff4f3a376
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Jan 6 12:50:48 2023 -0800

    Fix CVE-2022-4883: compression commands depend on $PATH
    
    By default, on all platforms except MinGW, libXpm will detect if a
    filename ends in .Z or .gz, and will when reading such a file fork off
    an uncompress or gunzip command to read from via a pipe, and when
    writing such a file will fork off a compress or gzip command to write
    to via a pipe.
    
    In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
    to find the commands.  If libXpm is called from a program running with
    raised privileges, such as via setuid, then a malicious user could set
    $PATH to include programs of their choosing to be run with those
    privileges.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit f80fa6ae47ad4a5beacb287c0030c9913b046643
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Jan 7 12:44:28 2023 -0800

    Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
    
    When reading XPM images from a file with libXpm 3.5.14 or older, if a
    image has a width of 0 and a very large height, the ParsePixels() function
    will loop over the entire height calling getc() and ungetc() repeatedly,
    or in some circumstances, may loop seemingly forever, which may cause a
    denial of service to the calling program when given a small crafted XPM
    file to parse.
    
    Closes: #2
    
    Reported-by: Martin Ettl <ettl.martin78 at googlemail.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit f7fbbb92f6d383b21dd1587c3703a5de37c625b5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Tue Jan 3 17:23:58 2023 -0800

    test: add test cases for CVE-2022-44617 (zero-width w/enormous height)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit a3a7c6dcc3b629d765014816c566c63165c63ca8
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Dec 17 12:23:45 2022 -0800

    Fix CVE-2022-46285: Infinite loop on unclosed comments
    
    When reading XPM images from a file with libXpm 3.5.14 or older, if a
    comment in the file is not closed (i.e. a C-style comment starts with
    "/*" and is missing the closing "*/"), the ParseComment() function will
    loop forever calling getc() to try to read the rest of the comment,
    failing to notice that it has returned EOF, which may cause a denial of
    service to the calling program.
    
    Reported-by: Marco Ivaldi <raptor at 0xdeadbeef.info>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit f7a167a48a950b89b91f5123a0ec8d9a7cb97495
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Dec 17 12:18:24 2022 -0800

    test: add test case for CVE-2022-46285 (unclosed comments)
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

More information about the xorg-commit mailing list