Version in base suite: 3.5.12-1.1 Base version: libxpm_3.5.12-1.1 Target version: libxpm_3.5.12-1.1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxpm/libxpm_3.5.12-1.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxpm/libxpm_3.5.12-1.1+deb12u1.dsc .gitignore | 78 -- .pc/.quilt_patches | 1 .pc/.quilt_series | 1 .pc/.version | 1 cxpm/.gitignore | 3 debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch | 32 + debian/patches/0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch | 44 + debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch | 36 + debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch | 294 ++++++++++ debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch | 270 +++++++++ debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch | 48 + debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch | 36 + debian/patches/stdint.patch | 14 libxpm-3.5.12/debian/changelog | 9 libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch | 21 libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch | 18 libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch | 12 libxpm-3.5.12/debian/patches/series | 8 sxpm/.gitignore | 3 19 files changed, 809 insertions(+), 120 deletions(-) reverted: --- libxpm-3.5.12/.gitignore +++ libxpm-3.5.12.orig/.gitignore @@ -1,78 +0,0 @@ -# -# X.Org module default exclusion patterns -# The next section if for module specific patterns -# -# Do not edit the following section -# GNU Build System (Autotools) -aclocal.m4 -autom4te.cache/ -autoscan.log -ChangeLog -compile -config.guess -config.h -config.h.in -config.log -config-ml.in -config.py -config.status -config.status.lineno -config.sub -configure -configure.scan -depcomp -.deps/ -INSTALL -install-sh -.libs/ -libtool -libtool.m4 -ltmain.sh -lt~obsolete.m4 -ltoptions.m4 -ltsugar.m4 -ltversion.m4 -Makefile -Makefile.in -mdate-sh -missing -mkinstalldirs -*.pc -py-compile -stamp-h? -symlink-tree -texinfo.tex -ylwrap - -# Do not edit the following section -# Edit Compile Debug Document Distribute -*~ -*.[0-9] -*.[0-9]x -*.bak -*.bin -core -*.dll -*.exe -*-ISO*.bdf -*-JIS*.bdf -*-KOI8*.bdf -*.kld -*.ko -*.ko.cmd -*.lai -*.l[oa] -*.[oa] -*.obj -*.patch -*.so -*.pcf.gz -*.pdb -*.tar.bz2 -*.tar.gz -# -# Add & Override patterns for libXpm -# -# Edit the following section as needed -# For example, !report.pc overrides *.pc. See 'man gitignore' -# reverted: --- libxpm-3.5.12/cxpm/.gitignore +++ libxpm-3.5.12.orig/cxpm/.gitignore @@ -1,3 +0,0 @@ -# Add & Override for this directory and it's subdirectories -cxpm -cxpm.po diff -u libxpm-3.5.12/debian/changelog libxpm-3.5.12/debian/changelog --- libxpm-3.5.12/debian/changelog +++ libxpm-3.5.12/debian/changelog @@ -1,3 +1,12 @@ +libxpm (1:3.5.12-1.1+deb12u1) bookworm-security; urgency=high + + * CVE-2023-43788: out of bounds read in XpmCreateXpmImageFromBuffer() + * CVE-2023-43789: out of bounds read on XPM with corrupted colormap + * Avoid CVE-2023-43786: stack exhaustion in XPutImage() + * Avoid CVE-2023-43787 (integer overflow in XCreateImage) + + -- Julien Cristau Tue, 03 Oct 2023 11:59:05 +0200 + libxpm (1:3.5.12-1.1) unstable; urgency=medium * Non-maintainer upload. diff -u libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch --- libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch @@ -15,12 +15,10 @@ Reported-by: Martin Ettl Signed-off-by: Alan Coopersmith --- - src/data.c | 20 ++++++++++++++------ - src/parse.c | 31 +++++++++++++++++++++++++++---- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- 2 files changed, 41 insertions(+), 10 deletions(-) -diff --git a/src/data.c b/src/data.c -index bfad4ff..7524e65 100644 --- a/src/data.c +++ b/src/data.c @@ -195,19 +195,23 @@ xpmNextString(xpmData *data) @@ -75,11 +73,9 @@ } -diff --git a/src/parse.c b/src/parse.c -index 037fc66..64f51ba 100644 --- a/src/parse.c +++ b/src/parse.c -@@ -427,6 +427,13 @@ ParsePixels( +@@ -391,6 +391,13 @@ ParsePixels( { unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ unsigned int a, x, y; @@ -93,7 +89,7 @@ if ((height > 0 && width >= UINT_MAX / height) || width * height >= UINT_MAX / sizeof(unsigned int)) -@@ -464,7 +471,11 @@ ParsePixels( +@@ -428,7 +435,11 @@ ParsePixels( colidx[(unsigned char)colorTable[a].string[0]] = a + 1; for (y = 0; y < height; y++) { @@ -106,7 +102,7 @@ for (x = 0; x < width; x++, iptr++) { int c = xpmGetC(data); -@@ -511,7 +522,11 @@ do \ +@@ -475,7 +486,11 @@ do \ } for (y = 0; y < height; y++) { @@ -119,7 +115,7 @@ for (x = 0; x < width; x++, iptr++) { int cc1 = xpmGetC(data); if (cc1 > 0 && cc1 < 256) { -@@ -551,7 +566,11 @@ do \ +@@ -515,7 +530,11 @@ do \ xpmHashAtom *slot; for (y = 0; y < height; y++) { @@ -132,7 +128,7 @@ for (x = 0; x < width; x++, iptr++) { for (a = 0, s = buf; a < cpp; a++, s++) { int c = xpmGetC(data); -@@ -571,7 +590,11 @@ do \ +@@ -535,7 +554,11 @@ do \ } } else { for (y = 0; y < height; y++) { @@ -145,6 +141,3 @@ for (x = 0; x < width; x++, iptr++) { for (a = 0, s = buf; a < cpp; a++, s++) { int c = xpmGetC(data); --- -2.15.2 - diff -u libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch --- libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch +++ libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch @@ -14,16 +14,13 @@ [Part of the fix for CVE-2022-4883] Signed-off-by: Peter Hutterer --- - README.md | 2 +- - configure.ac | 3 +-- - src/RdFToI.c | 2 +- - 3 files changed, 3 insertions(+), 4 deletions(-) + configure.ac | 3 +-- + src/RdFToI.c | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) -diff --git a/configure.ac b/configure.ac -index e6b6509..6cd165f 100644 --- a/configure.ac +++ b/configure.ac -@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) +@@ -57,7 +57,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path ]) dnl End of AC_DEFUN([XPM_PATH_PROG]... # Optional feature: When a filename ending in .Z or .gz is requested, @@ -32,7 +29,7 @@ # handle it. AC_MSG_CHECKING([whether to handle compressed pixmaps]) case $host_os in -@@ -77,7 +77,6 @@ else +@@ -75,7 +75,6 @@ else XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) @@ -40,8 +37,6 @@ AC_CHECK_FUNCS([closefrom close_range], [break]) fi -diff --git a/src/RdFToI.c b/src/RdFToI.c -index a91d337..141c485 100644 --- a/src/RdFToI.c +++ b/src/RdFToI.c @@ -251,7 +251,7 @@ OpenReadFile( @@ -53,6 +48,3 @@ } else #endif /* z-files */ --- -2.15.2 - diff -u libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch --- libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch +++ libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch @@ -9,15 +9,12 @@ Signed-off-by: Alan Coopersmith --- - README.md | 15 +++++++++++++++ - configure.ac | 36 +++++++++++++++++++++++------------- - 2 files changed, 38 insertions(+), 13 deletions(-) + configure.ac | 36 +++++++++++++++++++++++------------- + 1 file changed, 23 insertions(+), 13 deletions(-) -diff --git a/configure.ac b/configure.ac -index 789a96e70831..1b648309705c 100644 --- a/configure.ac +++ b/configure.ac -@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then +@@ -48,25 +48,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then fi AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") @@ -66,6 +63,3 @@ AC_CONFIG_FILES([Makefile doc/Makefile include/Makefile --- -2.39.0 - diff -u libxpm-3.5.12/debian/patches/series libxpm-3.5.12/debian/patches/series --- libxpm-3.5.12/debian/patches/series +++ libxpm-3.5.12/debian/patches/series @@ -4,3 +4,11 @@ Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch Prevent-a-double-free-in-the-error-code-path.patch Use-gzip-d-instead-of-gunzip.patch +0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +#0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch +0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +stdint.patch reverted: --- libxpm-3.5.12/sxpm/.gitignore +++ libxpm-3.5.12.orig/sxpm/.gitignore @@ -1,3 +0,0 @@ -# Add & Override for this directory and it's subdirectories -sxpm -sxpm.po only in patch2: unchanged: --- libxpm-3.5.12.orig/.pc/.quilt_patches +++ libxpm-3.5.12/.pc/.quilt_patches @@ -0,0 +1 @@ +debian/patches only in patch2: unchanged: --- libxpm-3.5.12.orig/.pc/.quilt_series +++ libxpm-3.5.12/.pc/.quilt_series @@ -0,0 +1 @@ +series only in patch2: unchanged: --- libxpm-3.5.12.orig/.pc/.version +++ libxpm-3.5.12/.pc/.version @@ -0,0 +1 @@ +2 only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +++ libxpm-3.5.12/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch @@ -0,0 +1,32 @@ +From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 17:50:39 -0700 +Subject: [PATCH libXpm 1/7] Fix CVE-2023-43788: Out of bounds read in + XpmCreateXpmImageFromBuffer + +When the test case for CVE-2022-46285 was run with the Address Sanitizer +enabled, it found an out-of-bounds read in ParseComment() when reading +from a memory buffer instead of a file, as it continued to look for the +closing comment marker past the end of the buffer. + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data.c b/src/data.c +index 7524e65..0b0f1f3 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -108,7 +108,7 @@ ParseComment(xpmData *data) + n++; + s2++; + } while (c == *s2 && *s2 != '\0' && c); +- if (*s2 == '\0') { ++ if (*s2 == '\0' || c == '\0') { + /* this is the end of the comment */ + notend = 0; + data->cptr--; +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch +++ libxpm-3.5.12/debian/patches/0002-test-Add-test-case-for-CVE-2023-43789-corrupt-colorm.patch @@ -0,0 +1,44 @@ +From a21e7bcf0ca3d8c1605b2721a545440260870438 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:29:29 -0700 +Subject: [PATCH libXpm 2/7] test: Add test case for CVE-2023-43789 (corrupt + colormap info) + +Generated by clang's -fsanitize/libfuzzer + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/README.md | 3 +++ + test/pixmaps/invalid/corrupt-colormap.xpm | Bin 0 -> 156 bytes + 2 files changed, 3 insertions(+) + create mode 100644 test/pixmaps/invalid/corrupt-colormap.xpm + +diff --git a/test/pixmaps/README.md b/test/pixmaps/README.md +index f51af00..4f2cbae 100644 +--- a/test/pixmaps/README.md ++++ b/test/pixmaps/README.md +@@ -58,6 +58,9 @@ return XpmFileInvalid when parsed. + - zero-width.xpm & zero-width-v1.xpm - These files declare a width of 0 + and a height of nearly UINT_MAX, to test for CVE-2022-44617 + ++- corrupt-colormap.xpm - This file was generated by the clang libfuzzer, ++ and serves as a test for CVE-2023-43789 ++ + no-mem + ------ + +diff --git a/test/pixmaps/invalid/corrupt-colormap.xpm b/test/pixmaps/invalid/corrupt-colormap.xpm +new file mode 100644 +index 0000000000000000000000000000000000000000..46cd738e8dd3512434130018dc4028fd93d049a0 +GIT binary patch +literal 156 +zcmY++!3u*g5QJf`?j!Uxo(qMBzDA+P_O#fzXmCv+5!9z|jX4Q(8b1C8@7L3iG1&LO +zof_DnAtt&37EwCX6PCfv0wk#GhnWvSpA7ma;&<`Y){aH^;M1& + +literal 0 +HcmV?d00001 + +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +++ libxpm-3.5.12/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch @@ -0,0 +1,36 @@ +From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:30:34 -0700 +Subject: [PATCH libXpm 3/7] Fix CVE-2023-43789: Out of bounds read on XPM with + corrupted colormap + +Found with clang's libfuzzer + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/data.c b/src/data.c +index 0b0f1f3..6e87455 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -259,13 +259,13 @@ xpmNextWord( + int c; + + if (!data->type || data->type == XPMBUFFER) { +- while (isspace(c = *data->cptr) && c != data->Eos) ++ while ((c = *data->cptr) && isspace(c) && (c != data->Eos)) + data->cptr++; + do { + c = *data->cptr++; + *buf++ = c; + n++; +- } while (!isspace(c) && c != data->Eos && n < buflen); ++ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen)); + n--; + data->cptr--; + } else { +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +++ libxpm-3.5.12/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch @@ -0,0 +1,294 @@ +From edb97396620f019f8d2e707ad3fbaf6bbbd5ed36 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Tue, 5 Sep 2023 17:01:58 -0700 +Subject: [PATCH libXpm 4/7] test: Add test case for CVE-2023-43786 (stack + exhaustion in PutImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/other/overflow-stackexhaustion.xpm | 277 ++++++++++++++++++++++++ + 1 file changed, 277 insertions(+) + create mode 100644 test/pixmaps/other/overflow-stackexhaustion.xpm + +--- /dev/null ++++ b/test/pixmaps/other/overflow-stackexhaustion.xpm +@@ -0,0 +1,277 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"000000090000 1 247 1 1 1", ++/* colors */ ++" s background m black c #ffffffffffff", ++". s topShadowColor m white c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++" ++ s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"} s bottomShadowColor m black c #ffffffffffff", ++"; s bottomShadowColor m black c #ffffffffffff", ++". s bottomShadowColor m black c #ffffffffffff", ++/* pixels */ ++" }; only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +++ libxpm-3.5.12/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch @@ -0,0 +1,270 @@ +From 3446b4dbf970223f16f8ea294b723fc2e86bc4c4 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 6 Sep 2023 17:34:33 -0700 +Subject: [PATCH libXpm 5/7] Avoid CVE-2023-43786: stack exhaustion in + XPutImage() + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X11 pixmap with +dimensions larger than the unsigned 16-bit integers used in the +X11 protocol for the dimensions. + +Reported by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + src/CrPFrBuf.c | 28 +++++++++++++++++++++++----- + src/CrPFrDat.c | 31 +++++++++++++++++++++++-------- + src/CrPFrI.c | 9 ++++++++- + src/RdFToP.c | 28 +++++++++++++++++++++++----- + src/XpmI.h | 4 ++-- + src/create.c | 28 +++++++++++++++++++++++----- + 6 files changed, 102 insertions(+), 26 deletions(-) + +--- a/src/CrPFrBuf.c ++++ b/src/CrPFrBuf.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrDat.c ++++ b/src/CrPFrDat.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromData( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,19 +63,34 @@ XpmCreatePixmapFromData( + attributes); + + if (ErrorStatus != XpmSuccess) +- return (ErrorStatus); +- +- if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrI.c ++++ b/src/CrPFrI.c +@@ -37,7 +37,7 @@ + #endif + #include "XpmI.h" + +-void ++int + xpmCreatePixmapFromImage( + Display *display, + Drawable d, +@@ -47,6 +47,11 @@ xpmCreatePixmapFromImage( + GC gc; + XGCValues values; + ++ /* X Pixmaps are limited to unsigned 16-bit height/width */ ++ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) { ++ return XpmNoMemory; ++ } ++ + *pixmap_return = XCreatePixmap(display, d, ximage->width, + ximage->height, ximage->depth); + /* set fg and bg in case we have an XYBitmap */ +@@ -59,4 +64,6 @@ xpmCreatePixmapFromImage( + ximage->width, ximage->height); + + XFreeGC(display, gc); ++ ++ return XpmSuccess; + } +--- a/src/RdFToP.c ++++ b/src/RdFToP.c +@@ -46,7 +46,7 @@ XpmReadFileToPixmap( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -62,16 +62,34 @@ XpmReadFileToPixmap( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/XpmI.h ++++ b/src/XpmI.h +@@ -188,8 +188,8 @@ FUNC(xpmSetAttributes, void, (XpmAttribu + XpmInfo *info)); + + #if !defined(FOR_MSW) && !defined(AMIGA) +-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d, +- XImage *ximage, Pixmap *pixmap_return)); ++FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d, ++ XImage *ximage, Pixmap *pixmap_return)); + + FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, + XImage **ximage_return, +--- a/src/create.c ++++ b/src/create.c +@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage( + &shapeimage : NULL), + attributes); + if (ErrorStatus < 0) +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +++ libxpm-3.5.12/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch @@ -0,0 +1,48 @@ +From ec92147890b7985756d8917c25363777de4599fe Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:55:25 -0700 +Subject: [PATCH libXpm 6/7] test: Add test case for CVE-2023-43787 (integer + overflow in XCreateImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/invalid/width-overflow.xpm | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + create mode 100644 test/pixmaps/invalid/width-overflow.xpm + +--- /dev/null ++++ b/test/pixmaps/invalid/width-overflow.xpm +@@ -0,0 +1,31 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"536871019 1 2 1 1 1", ++/* colors */ ++" c #40a100", ++". c #434241", ++/* pixels */ ++" .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +++ libxpm-3.5.12/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch @@ -0,0 +1,36 @@ +From 3bc3d486bcdb1d95bcb0ebc7d6fe5a18dc4eee95 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:59:07 -0700 +Subject: [PATCH libXpm 7/7] Avoid CVE-2023-43787 (integer overflow in + XCreateImage) + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X Image for +which the width * depth would overflow the signed int used to +store the bytes_per_line value. + +Signed-off-by: Alan Coopersmith +--- + src/create.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/create.c b/src/create.c +index ec562b2..b8c80d2 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -997,6 +997,11 @@ CreateXImage( + *image_return = NULL; + return XpmNoMemory; + } ++ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; ++ return XpmNoMemory; ++ } + /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) { + XDestroyImage(*image_return); +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/stdint.patch +++ libxpm-3.5.12/debian/patches/stdint.patch @@ -0,0 +1,14 @@ +--- + src/CrPFrI.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/CrPFrI.c ++++ b/src/CrPFrI.c +@@ -36,6 +36,7 @@ + #include + #endif + #include "XpmI.h" ++#include + + int + xpmCreatePixmapFromImage(