diff -u libxpm-3.5.12/debian/changelog libxpm-3.5.12/debian/changelog --- libxpm-3.5.12/debian/changelog +++ libxpm-3.5.12/debian/changelog @@ -1,3 +1,24 @@ +libxpm (1:3.5.12-1ubuntu0.22.04.2) jammy-security; urgency=medium + + * SECURITY UPDATE: stack exhaustion from infinite recursion in + PutSubImage() in libx11 + - d/p/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch + - d/p/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch + - CVE-2023-43786 + * SECURITY UPDATE: integer overflow in XCreateImage() leading to a heap + overflow in libx11 + - d/p/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch + - d/p/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch + - CVE-2023-43787 + * SECURITY UPDATE: out of bounds read in XpmCreateXpmImageFromBuffer() + - d/p/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch + - CVE-2023-43788 + * SECURITY UPDATE: out of bounds read on XPM with corrupted colormap + - d/p/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch + - CVE-2023-43789 + + -- Marc Deslauriers Mon, 02 Oct 2023 16:10:52 -0400 + libxpm (1:3.5.12-1ubuntu0.22.04.1) jammy-security; urgency=medium * SECURITY UPDATE: CPU-consuming loop on width of 0 diff -u libxpm-3.5.12/debian/patches/series libxpm-3.5.12/debian/patches/series --- libxpm-3.5.12/debian/patches/series +++ libxpm-3.5.12/debian/patches/series @@ -5,0 +6,6 @@ +0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch +++ libxpm-3.5.12/debian/patches/0001-Fix-CVE-2023-43788-Out-of-bounds-read-in-XpmCreateXp.patch @@ -0,0 +1,32 @@ +From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 17:50:39 -0700 +Subject: [PATCH libXpm 1/7] Fix CVE-2023-43788: Out of bounds read in + XpmCreateXpmImageFromBuffer + +When the test case for CVE-2022-46285 was run with the Address Sanitizer +enabled, it found an out-of-bounds read in ParseComment() when reading +from a memory buffer instead of a file, as it continued to look for the +closing comment marker past the end of the buffer. + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data.c b/src/data.c +index 7524e65..0b0f1f3 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -108,7 +108,7 @@ ParseComment(xpmData *data) + n++; + s2++; + } while (c == *s2 && *s2 != '\0' && c); +- if (*s2 == '\0') { ++ if (*s2 == '\0' || c == '\0') { + /* this is the end of the comment */ + notend = 0; + data->cptr--; +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch +++ libxpm-3.5.12/debian/patches/0003-Fix-CVE-2023-43789-Out-of-bounds-read-on-XPM-with-co.patch @@ -0,0 +1,36 @@ +From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 29 Apr 2023 18:30:34 -0700 +Subject: [PATCH libXpm 3/7] Fix CVE-2023-43789: Out of bounds read on XPM with + corrupted colormap + +Found with clang's libfuzzer + +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/data.c b/src/data.c +index 0b0f1f3..6e87455 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -259,13 +259,13 @@ xpmNextWord( + int c; + + if (!data->type || data->type == XPMBUFFER) { +- while (isspace(c = *data->cptr) && c != data->Eos) ++ while ((c = *data->cptr) && isspace(c) && (c != data->Eos)) + data->cptr++; + do { + c = *data->cptr++; + *buf++ = c; + n++; +- } while (!isspace(c) && c != data->Eos && n < buflen); ++ } while (c && !isspace(c) && (c != data->Eos) && (n < buflen)); + n--; + data->cptr--; + } else { +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch +++ libxpm-3.5.12/debian/patches/0004-test-Add-test-case-for-CVE-2023-43786-stack-exhausti.patch @@ -0,0 +1,322 @@ +From edb97396620f019f8d2e707ad3fbaf6bbbd5ed36 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Tue, 5 Sep 2023 17:01:58 -0700 +Subject: [PATCH libXpm 4/7] test: Add test case for CVE-2023-43786 (stack + exhaustion in PutImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/README.md | 13 + + .../other/overflow-stackexhaustion.xpm | 277 ++++++++++++++++++ + 2 files changed, 290 insertions(+) + create mode 100644 test/pixmaps/other/overflow-stackexhaustion.xpm + +#diff --git a/test/pixmaps/README.md b/test/pixmaps/README.md +#index 4f2cbae..8f20a8b 100644 +#--- a/test/pixmaps/README.md +#+++ b/test/pixmaps/README.md +#@@ -69,3 +69,16 @@ return XpmNoMemory when parsed. +# +# - oversize.xpm - This file specifies more pixels than can be mapped in +# a 64-bit address space that already has programs & libraries mapped in. +#+ +#+other +#+----- +#+ +#+Those under the `other` subdirectory don't fit cleanly in any of the above +#+categories, and may be valid for some uses but not others, and thus can't be +#+easily used in the current test framework, but are still interesting cases. +#+ +#+- overflow-stackexhaustion.xpm - This file was provided by Yair Mizrahi of +#+ the JFrog Vulnerability Research team as a test for CVE-2023-43786. +#+ It is a valid XPM file, but is larger than fits into an X Pixmap, so +#+ should pass with many functions, but fail when used with sxpm or +#+ anything that calls through to xpmCreatePixmapFromImage(). +diff --git a/test/pixmaps/other/overflow-stackexhaustion.xpm b/test/pixmaps/other/overflow-stackexhaustion.xpm +new file mode 100644 +index 0000000..2f7eae3 +--- /dev/null ++++ b/test/pixmaps/other/overflow-stackexhaustion.xpm +@@ -0,0 +1,277 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"000000090000 1 247 1 1 1", ++/* colors */ ++" s background m black c #ffffffffffff", ++". s topShadowColor m white c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++" ++ s bottomShadowColor m black c #ffffffffffff", ++"X s bottomShadowColor m black c #ffffffffffff", ++"} s bottomShadowColor m black c #ffffffffffff", ++"; s bottomShadowColor m black c #ffffffffffff", ++". s bottomShadowColor m black c #ffffffffffff", ++/* pixels */ ++" }; +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch +++ libxpm-3.5.12/debian/patches/0005-Avoid-CVE-2023-43786-stack-exhaustion-in-XPutImage.patch @@ -0,0 +1,278 @@ +Backport of: + +From 3446b4dbf970223f16f8ea294b723fc2e86bc4c4 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 6 Sep 2023 17:34:33 -0700 +Subject: [PATCH libXpm 5/7] Avoid CVE-2023-43786: stack exhaustion in + XPutImage() + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X11 pixmap with +dimensions larger than the unsigned 16-bit integers used in the +X11 protocol for the dimensions. + +Reported by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + src/CrPFrBuf.c | 28 +++++++++++++++++++++++----- + src/CrPFrDat.c | 31 +++++++++++++++++++++++-------- + src/CrPFrI.c | 9 ++++++++- + src/RdFToP.c | 28 +++++++++++++++++++++++----- + src/XpmI.h | 2 +- + src/create.c | 28 +++++++++++++++++++++++----- + 6 files changed, 101 insertions(+), 25 deletions(-) + +--- a/src/CrPFrBuf.c ++++ b/src/CrPFrBuf.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrDat.c ++++ b/src/CrPFrDat.c +@@ -46,7 +46,7 @@ XpmCreatePixmapFromData( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -63,19 +63,34 @@ XpmCreatePixmapFromData( + attributes); + + if (ErrorStatus != XpmSuccess) +- return (ErrorStatus); +- +- if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/CrPFrI.c ++++ b/src/CrPFrI.c +@@ -37,7 +37,7 @@ + #endif + #include "XpmI.h" + +-void ++int + xpmCreatePixmapFromImage( + Display *display, + Drawable d, +@@ -47,6 +47,11 @@ xpmCreatePixmapFromImage( + GC gc; + XGCValues values; + ++ /* X Pixmaps are limited to unsigned 16-bit height/width */ ++ if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) { ++ return XpmNoMemory; ++ } ++ + *pixmap_return = XCreatePixmap(display, d, ximage->width, + ximage->height, ximage->depth); + /* set fg and bg in case we have an XYBitmap */ +@@ -59,4 +64,6 @@ xpmCreatePixmapFromImage( + ximage->width, ximage->height); + + XFreeGC(display, gc); ++ ++ return XpmSuccess; + } +--- a/src/RdFToP.c ++++ b/src/RdFToP.c +@@ -46,7 +46,7 @@ XpmReadFileToPixmap( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -62,16 +62,34 @@ XpmReadFileToPixmap( + attributes); + + if (ErrorStatus < 0) /* fatal error */ +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } +--- a/src/XpmI.h ++++ b/src/XpmI.h +@@ -52,6 +52,7 @@ + #include + #include + #include ++#include + /* stdio.h doesn't declare popen on a Sequent DYNIX OS */ + #ifdef sequent + extern FILE *popen(); +@@ -188,7 +189,7 @@ FUNC(xpmSetAttributes, void, (XpmAttribu + XpmInfo *info)); + + #if !defined(FOR_MSW) && !defined(AMIGA) +-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d, ++FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d, + XImage *ximage, Pixmap *pixmap_return)); + + FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap, +--- a/src/create.c ++++ b/src/create.c +@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage( + Pixmap *shapemask_return, + XpmAttributes *attributes) + { +- XImage *ximage, *shapeimage; ++ XImage *ximage = NULL, *shapeimage = NULL; + int ErrorStatus; + + /* initialize return values */ +@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage( + &shapeimage : NULL), + attributes); + if (ErrorStatus < 0) +- return (ErrorStatus); ++ goto cleanup; + + /* create the pixmaps and destroy images */ + if (pixmap_return && ximage) { +- xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); +- XDestroyImage(ximage); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, ximage, pixmap_return); ++ if (ErrorStatus < 0) /* fatal error */ ++ goto cleanup; + } + if (shapemask_return && shapeimage) { +- xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ ErrorStatus = ++ xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return); ++ } ++ ++ cleanup: ++ if (ximage != NULL) ++ XDestroyImage(ximage); ++ if (shapeimage != NULL) + XDestroyImage(shapeimage); ++ if (ErrorStatus < 0) { ++ if (pixmap_return && *pixmap_return) { ++ XFreePixmap(display, *pixmap_return); ++ *pixmap_return = 0; ++ } ++ if (shapemask_return && *shapemask_return) { ++ XFreePixmap(display, *shapemask_return); ++ *shapemask_return = 0; ++ } + } + return (ErrorStatus); + } only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch +++ libxpm-3.5.12/debian/patches/0006-test-Add-test-case-for-CVE-2023-43787-integer-overfl.patch @@ -0,0 +1,71 @@ +From ec92147890b7985756d8917c25363777de4599fe Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 7 Sep 2023 16:55:25 -0700 +Subject: [PATCH libXpm 6/7] test: Add test case for CVE-2023-43787 (integer + overflow in XCreateImage) + +Provided by Yair Mizrahi of the JFrog Vulnerability Research team + +Signed-off-by: Alan Coopersmith +--- + test/pixmaps/README.md | 5 ++++ + test/pixmaps/invalid/width-overflow.xpm | 31 +++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + create mode 100644 test/pixmaps/invalid/width-overflow.xpm + +#diff --git a/test/pixmaps/README.md b/test/pixmaps/README.md +#index 8f20a8b..97dd144 100644 +#--- a/test/pixmaps/README.md +#+++ b/test/pixmaps/README.md +#@@ -61,6 +61,11 @@ return XpmFileInvalid when parsed. +# - corrupt-colormap.xpm - This file was generated by the clang libfuzzer, +# and serves as a test for CVE-2023-43789 +# +#+- width-overflow.xpm - This file was provided by Yair Mizrahi of +#+ the JFrog Vulnerability Research team as a test for CVE-2023-43787. +#+ Its width causes an integer overflow when multiplied by a depth of 4 bytes +#+ (32-bits) when using 32-bit ints. +#+ +# no-mem +# ------ +# +diff --git a/test/pixmaps/invalid/width-overflow.xpm b/test/pixmaps/invalid/width-overflow.xpm +new file mode 100644 +index 0000000..114cb7b +--- /dev/null ++++ b/test/pixmaps/invalid/width-overflow.xpm +@@ -0,0 +1,31 @@ ++/* XPM */ ++/* ++ * Copyright (c) 1993, 1995, Oracle and/or its affiliates. ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++static char * Dimple_pm[] = { ++/* width height ncolors cpp [x_hot y_hot] */ ++"536871019 1 2 1 1 1", ++/* colors */ ++" c #40a100", ++". c #434241", ++/* pixels */ ++" .................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... +-- +2.39.3 + only in patch2: unchanged: --- libxpm-3.5.12.orig/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch +++ libxpm-3.5.12/debian/patches/0007-Avoid-CVE-2023-43787-integer-overflow-in-XCreateImag.patch @@ -0,0 +1,36 @@ +From 3bc3d486bcdb1d95bcb0ebc7d6fe5a18dc4eee95 Mon Sep 17 00:00:00 2001 +From: Yair Mizrahi +Date: Thu, 7 Sep 2023 16:59:07 -0700 +Subject: [PATCH libXpm 7/7] Avoid CVE-2023-43787 (integer overflow in + XCreateImage) + +This doesn't fix the CVE - that has to happen in libX11, this +just tries to avoid triggering it from libXpm, and saves time +in not pretending we can successfully create an X Image for +which the width * depth would overflow the signed int used to +store the bytes_per_line value. + +Signed-off-by: Alan Coopersmith +--- + src/create.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/create.c b/src/create.c +index ec562b2..b8c80d2 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -997,6 +997,11 @@ CreateXImage( + *image_return = NULL; + return XpmNoMemory; + } ++ if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; ++ return XpmNoMemory; ++ } + /* now that bytes_per_line must have been set properly alloc data */ + if((*image_return)->bytes_per_line == 0 || height == 0) { + XDestroyImage(*image_return); +-- +2.39.3 +