Version in base suite: 3.5.12-1 Base version: libxpm_3.5.12-1 Target version: libxpm_3.5.12-1.1~deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxpm/libxpm_3.5.12-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxpm/libxpm_3.5.12-1.1~deb11u1.dsc debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch | 150 ++++++++++ debian/patches/Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch | 36 ++ debian/patches/Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch | 114 +++++++ debian/patches/Prevent-a-double-free-in-the-error-code-path.patch | 39 ++ debian/patches/Use-gzip-d-instead-of-gunzip.patch | 58 +++ debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch | 71 ++++ libxpm-3.5.12/debian/changelog | 21 + libxpm-3.5.12/debian/patches/series | 7 libxpm-3.5.12/debian/rules | 3 9 files changed, 498 insertions(+), 1 deletion(-) diff -u libxpm-3.5.12/debian/changelog libxpm-3.5.12/debian/changelog --- libxpm-3.5.12/debian/changelog +++ libxpm-3.5.12/debian/changelog @@ -1,3 +1,24 @@ +libxpm (1:3.5.12-1.1~deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Rebuild for bullseye + + -- Salvatore Bonaccorso Wed, 25 Jan 2023 21:19:41 +0100 + +libxpm (1:3.5.12-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2022-46285: Infinite loop on unclosed comments + * Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height + * configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE + * Fix CVE-2022-4883: compression commands depend on $PATH + * Prevent a double free in the error code path + * Use gzip -d instead of gunzip + * debian/rules: configure: Set explicitly runtime paths for {,un}compress + and gzip. + + -- Salvatore Bonaccorso Mon, 16 Jan 2023 21:01:44 +0100 + libxpm (1:3.5.12-1) unstable; urgency=medium [ Andreas Boll ] diff -u libxpm-3.5.12/debian/patches/series libxpm-3.5.12/debian/patches/series --- libxpm-3.5.12/debian/patches/series +++ libxpm-3.5.12/debian/patches/series @@ -1 +1,6 @@ -# placeholder +Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch +Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +configure-add-disable-open-zfile-instead-of-requirin.patch +Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +Prevent-a-double-free-in-the-error-code-path.patch +Use-gzip-d-instead-of-gunzip.patch diff -u libxpm-3.5.12/debian/rules libxpm-3.5.12/debian/rules --- libxpm-3.5.12/debian/rules +++ libxpm-3.5.12/debian/rules @@ -4,4 +4,7 @@ dh $@ --with quilt --builddirectory=build/ +override_dh_auto_configure: + dh_auto_configure -- XPM_PATH_COMPRESS=/usr/bin/compress XPM_PATH_UNCOMPRESS=/bin/uncompress XPM_PATH_GZIP=/bin/gzip + override_dh_install: dh_install --fail-missing -XlibXpm.la only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch @@ -0,0 +1,150 @@ +From 198839ca64dc117b35339f38c83d483ab6b561b6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 7 Jan 2023 12:44:28 -0800 +Subject: Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +image has a width of 0 and a very large height, the ParsePixels() function +will loop over the entire height calling getc() and ungetc() repeatedly, +or in some circumstances, may loop seemingly forever, which may cause a +denial of service to the calling program when given a small crafted XPM +file to parse. + +Closes: #2 + +Reported-by: Martin Ettl +Signed-off-by: Alan Coopersmith +--- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +diff --git a/src/data.c b/src/data.c +index bfad4ff..7524e65 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -195,19 +195,23 @@ xpmNextString(xpmData *data) + register char c; + + /* get to the end of the current string */ +- if (data->Eos) +- while ((c = *data->cptr++) && c != data->Eos); ++ if (data->Eos) { ++ while ((c = *data->cptr++) && c != data->Eos && c != '\0'); ++ ++ if (c == '\0') ++ return XpmFileInvalid; ++ } + + /* + * then get to the beginning of the next string looking for possible + * comment + */ + if (data->Bos) { +- while ((c = *data->cptr++) && c != data->Bos) ++ while ((c = *data->cptr++) && c != data->Bos && c != '\0') + if (data->Bcmt && c == data->Bcmt[0]) + ParseComment(data); + } else if (data->Bcmt) { /* XPM2 natural */ +- while ((c = *data->cptr++) == data->Bcmt[0]) ++ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') + ParseComment(data); + data->cptr--; + } +@@ -216,9 +220,13 @@ xpmNextString(xpmData *data) + FILE *file = data->stream.file; + + /* get to the end of the current string */ +- if (data->Eos) ++ if (data->Eos) { + while ((c = Getc(data, file)) != data->Eos && c != EOF); + ++ if (c == EOF) ++ return XpmFileInvalid; ++ } ++ + /* + * then get to the beginning of the next string looking for possible + * comment +@@ -234,7 +242,7 @@ xpmNextString(xpmData *data) + Ungetc(data, c, file); + } + } +- return 0; ++ return XpmSuccess; + } + + +diff --git a/src/parse.c b/src/parse.c +index 037fc66..64f51ba 100644 +--- a/src/parse.c ++++ b/src/parse.c +@@ -427,6 +427,13 @@ ParsePixels( + { + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ + unsigned int a, x, y; ++ int ErrorStatus; ++ ++ if ((width == 0) && (height != 0)) ++ return (XpmFileInvalid); ++ ++ if ((height == 0) && (width != 0)) ++ return (XpmFileInvalid); + + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) +@@ -464,7 +471,11 @@ ParsePixels( + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int c = xpmGetC(data); + +@@ -511,7 +522,11 @@ do \ + } + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int cc1 = xpmGetC(data); + if (cc1 > 0 && cc1 < 256) { +@@ -551,7 +566,11 @@ do \ + xpmHashAtom *slot; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +@@ -571,7 +590,11 @@ do \ + } + } else { + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +-- +2.15.2 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch @@ -0,0 +1,36 @@ +From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: Fix CVE-2022-46285: Infinite loop on unclosed comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.15.2 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +++ libxpm-3.5.12/debian/patches/Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch @@ -0,0 +1,114 @@ +From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: Fix CVE-2022-4883: compression commands depend on $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +--- + README.md | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++dnl Helper macro to find absolute path to program and add a #define for it ++AC_DEFUN([XPM_PATH_PROG],[ ++AC_PATH_PROG([$1], [$2], []) ++AS_IF([test "x$$1" = "x"], ++ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])]) ++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) ++]) dnl End of AC_DEFUN([XPM_PATH_PROG]... ++ + # Optional feature: When a filename ending in .Z or .gz is requested, + # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to + # handle it. +@@ -63,6 +71,12 @@ AC_ARG_ENABLE(open-zfile, + AC_MSG_RESULT([$OPEN_ZFILE]) + if test x$OPEN_ZFILE = xno ; then + AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++else ++ XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) ++ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) ++ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) ++ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) ++ AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); + } + else + #endif /* z-files */ +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -336,10 +336,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/Prevent-a-double-free-in-the-error-code-path.patch +++ libxpm-3.5.12/debian/patches/Prevent-a-double-free-in-the-error-code-path.patch @@ -0,0 +1,39 @@ +From 1b01c4424bec256116f8e8283430eb241e3f5d99 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Jan 2023 15:05:39 +1000 +Subject: Prevent a double free in the error code path + +xpmParseDataAndCreate() calls XDestroyImage() in the error path. +Reproducible with sxpm "zero-width.xpm", that file is in the test/ +directory. + +The same approach is needed in the bytes_per_line == 0 condition though +here it just plugs a memory leak. +--- + src/create.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/create.c b/src/create.c +index 4a85c78..f92ffef 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -994,11 +994,15 @@ CreateXImage( + #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; + } + /* now that bytes_per_line must have been set properly alloc data */ +- if((*image_return)->bytes_per_line == 0 || height == 0) ++ if((*image_return)->bytes_per_line == 0 || height == 0) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; ++ } + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); + +-- +2.39.0 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/Use-gzip-d-instead-of-gunzip.patch +++ libxpm-3.5.12/debian/patches/Use-gzip-d-instead-of-gunzip.patch @@ -0,0 +1,58 @@ +From 8178eb0834d82242e1edbc7d4fb0d1b397569c68 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 16 Jan 2023 19:44:52 +1000 +Subject: Use gzip -d instead of gunzip + +GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call +/usr/bin/gunzip with the correct built-in path, the actual gzip call +will use whichever gzip it finds first, making our patch pointless. + +Fix this by explicitly calling gzip -d instead. + +https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in + +[Part of the fix for CVE-2022-4883] +Signed-off-by: Peter Hutterer +--- + README.md | 2 +- + configure.ac | 3 +-- + src/RdFToI.c | 2 +- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index e6b6509..6cd165f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) + ]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + + # Optional feature: When a filename ending in .Z or .gz is requested, +-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# open a pipe to a newly forked compress/uncompress/gzip command to + # handle it. + AC_MSG_CHECKING([whether to handle compressed pixmaps]) + case $host_os in +@@ -77,7 +77,6 @@ else + XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) +- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + +diff --git a/src/RdFToI.c b/src/RdFToI.c +index a91d337..141c485 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -251,7 +251,7 @@ OpenReadFile( + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); + } + else + #endif /* z-files */ +-- +2.15.2 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch +++ libxpm-3.5.12/debian/patches/configure-add-disable-open-zfile-instead-of-requirin.patch @@ -0,0 +1,71 @@ +From 4841039e5385f264d12757903894f47c64f59361 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 5 Jan 2023 15:42:36 -0800 +Subject: configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE + +Documents the two compression options in the README, makes their +configure options reflect the interdependency of their implementation, +and makes the configure script report their configuration. + +Signed-off-by: Alan Coopersmith +--- + README.md | 15 +++++++++++++++ + configure.ac | 36 +++++++++++++++++++++++------------- + 2 files changed, 38 insertions(+), 13 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 789a96e70831..1b648309705c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++# Optional feature: When a filename ending in .Z or .gz is requested, ++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# handle it. ++AC_MSG_CHECKING([whether to handle compressed pixmaps]) ++case $host_os in ++ *mingw*) zpipe_default="no" ;; ++ *) zpipe_default="yes" ;; ++esac ++AC_ARG_ENABLE(open-zfile, ++ AS_HELP_STRING([--enable-open-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes]) ++AC_MSG_RESULT([$OPEN_ZFILE]) ++if test x$OPEN_ZFILE = xno ; then ++ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++fi ++ + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz + # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile ++AC_MSG_CHECKING([whether to search for compressed pixmaps]) + AC_ARG_ENABLE(stat-zfile, +- AS_HELP_STRING([--enable-stat-zfile], +- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]), +- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes]) ++ AS_HELP_STRING([--enable-stat-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE]) ++AC_MSG_RESULT([$STAT_ZFILE]) + if test x$STAT_ZFILE = xyes ; then +- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) ++ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) + fi + +- +-case $host_os in +- *mingw*) +- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +- ;; +- *) +- ;; +-esac +- + AC_CONFIG_FILES([Makefile + doc/Makefile + include/Makefile +-- +2.39.0 +