--- libxpm-3.5.12.orig/.gitignore +++ libxpm-3.5.12/.gitignore @@ -0,0 +1,78 @@ +# +# X.Org module default exclusion patterns +# The next section if for module specific patterns +# +# Do not edit the following section +# GNU Build System (Autotools) +aclocal.m4 +autom4te.cache/ +autoscan.log +ChangeLog +compile +config.guess +config.h +config.h.in +config.log +config-ml.in +config.py +config.status +config.status.lineno +config.sub +configure +configure.scan +depcomp +.deps/ +INSTALL +install-sh +.libs/ +libtool +libtool.m4 +ltmain.sh +lt~obsolete.m4 +ltoptions.m4 +ltsugar.m4 +ltversion.m4 +Makefile +Makefile.in +mdate-sh +missing +mkinstalldirs +*.pc +py-compile +stamp-h? +symlink-tree +texinfo.tex +ylwrap + +# Do not edit the following section +# Edit Compile Debug Document Distribute +*~ +*.[0-9] +*.[0-9]x +*.bak +*.bin +core +*.dll +*.exe +*-ISO*.bdf +*-JIS*.bdf +*-KOI8*.bdf +*.kld +*.ko +*.ko.cmd +*.lai +*.l[oa] +*.[oa] +*.obj +*.patch +*.so +*.pcf.gz +*.pdb +*.tar.bz2 +*.tar.gz +# +# Add & Override patterns for libXpm +# +# Edit the following section as needed +# For example, !report.pc overrides *.pc. See 'man gitignore' +# --- libxpm-3.5.12.orig/autogen.sh +++ libxpm-3.5.12/autogen.sh @@ -0,0 +1,14 @@ +#! /bin/sh + +srcdir=`dirname $0` +test -z "$srcdir" && srcdir=. + +ORIGDIR=`pwd` +cd $srcdir + +autoreconf -v --install || exit 1 +cd $ORIGDIR || exit $? + +if test -z "$NOCONFIGURE"; then + $srcdir/configure "$@" +fi --- libxpm-3.5.12.orig/cxpm/.gitignore +++ libxpm-3.5.12/cxpm/.gitignore @@ -0,0 +1,3 @@ +# Add & Override for this directory and it's subdirectories +cxpm +cxpm.po --- libxpm-3.5.12.orig/debian/README.source +++ libxpm-3.5.12/debian/README.source @@ -0,0 +1,49 @@ +------------------------------------------------------ +Quick Guide To Patching This Package For The Impatient +------------------------------------------------------ + +1. Make sure you have quilt installed +2. Unpack the package as usual with "dpkg-source -x" +3. Run the "patch" target in debian/rules +4. Create a new patch with "quilt new" (see quilt(1)) +5. Edit all the files you want to include in the patch with "quilt edit" + (see quilt(1)). +6. Write the patch with "quilt refresh" (see quilt(1)) +7. Run the "clean" target in debian/rules + +Alternatively, instead of using quilt directly, you can drop the patch in to +debian/patches and add the name of the patch to debian/patches/series. + +------------------------------------ +Guide To The X Strike Force Packages +------------------------------------ + +The X Strike Force team maintains X packages in git repositories on +git.debian.org in the pkg-xorg subdirectory. Most upstream packages +are actually maintained in git repositories as well, so they often +just need to be pulled into git.debian.org in a "upstream-*" branch. +Otherwise, the upstream sources are manually installed in the Debian +git repository. + +The .orig.tar.gz upstream source file could be generated using this +"upstream-*" branch in the Debian git repository but it is actually +copied from upstream tarballs directly. + +Due to X.org being highly modular, packaging all X.org applications +as their own independent packages would have created too many Debian +packages. For this reason, some X.org applications have been grouped +into larger packages: xutils, xutils-dev, x11-apps, x11-session-utils, +x11-utils, x11-xfs-utils, x11-xkb-utils, x11-xserver-utils. +Most packages, including the X.org server itself and all libraries +and drivers are, however maintained independently. + +The Debian packaging is added by creating the "debian-*" git branch +which contains the aforementioned "upstream-*" branch plus the debian/ +repository files. +When a patch has to be applied to the Debian package, two solutions +are involved: +* If the patch is available in one of the upstream branches, it + may be git'cherry-picked into the Debian repository. In this + case, it appears directly in the .diff.gz. +* Otherwise, the patch is added to debian/patches/ which is managed + with quilt as documented in /usr/share/doc/quilt/README.source. --- libxpm-3.5.12.orig/debian/changelog +++ libxpm-3.5.12/debian/changelog @@ -0,0 +1,271 @@ +libxpm (1:3.5.12-1ubuntu0.22.04.1) jammy-security; urgency=medium + + * SECURITY UPDATE: CPU-consuming loop on width of 0 + - debian/patches/CVE-2022-44617-1.patch: add extra checks to + src/data.c, src/parse.c. + - debian/patches/CVE-2022-44617-2.patch: prevent a double free in the + error code path in src/create.c. + - CVE-2022-44617 + * SECURITY UPDATE: Infinite loop on unclosed comments + - debian/patches/CVE-2022-46285.patch: handle unclosed comments in + src/data.c. + - CVE-2022-46285 + * SECURITY UPDATE: compression commands depend on $PATH + - debian/patches/CVE-2022-4883.patch: don't rely on $PATH to find the + commands in src/RdFToI.c, src/WrFFrI.c. + - CVE-2022-4883 + + -- Marc Deslauriers Mon, 16 Jan 2023 12:38:49 -0500 + +libxpm (1:3.5.12-1build2) jammy; urgency=high + + * No change rebuild for ppc64el baseline bump. + + -- Julian Andres Klode Thu, 24 Mar 2022 17:22:04 +0100 + +libxpm (1:3.5.12-1build1) impish; urgency=medium + + * No-change rebuild to build packages with zstd compression. + + -- Matthias Klose Thu, 07 Oct 2021 12:19:51 +0200 + +libxpm (1:3.5.12-1) unstable; urgency=medium + + [ Andreas Boll ] + * New upstream release. + * Let uscan verify tarball signatures. + * Improve package description (Closes: #646992). Thanks, Justin B + Rye! + * Switch URLs to https. + * Remove obsolete xsfbs. + * Add placeholder comment into series file. + * Bump debhelper compat to 10. + - Drop build-deps on dh-autoreconf, automake and libtool. + * Stop passing --disable-silent-rules to configure, debhelper does + that for a while. + * Drop no longer needed dpkg-dev versioned build-dependency. + + [ Emilio Pozuelo Monfort ] + * Switch to -dbgsym packages. + + -- Emilio Pozuelo Monfort Thu, 22 Dec 2016 17:17:47 +0100 + +libxpm (1:3.5.11-1) unstable; urgency=medium + + * New upstream release. + * Rewrite debian/rules using dh, bump compat to 9, drop xsfbs. + * Remove Cyril from Uploaders. + * Bump x11proto-core-dev build-dep per configure.ac. + * Disable silent build rules. + * Override gzip-file-is-not-multi-arch-same-safe for xpm.PS.gz. + + -- Julien Cristau Sun, 13 Jul 2014 12:24:10 +0200 + +libxpm (1:3.5.10-1) unstable; urgency=low + + * Clean up libtool m4 files. + * Revert to shipping the doc as PS instead of PDF, so libxpm-dev can be + Multi-Arch: same. Thanks to Jakub Wilk. + * New upstream release. + * Bump debhelper build-dep to 8.1.3 for ${misc:Pre-Depends}. + + -- Julien Cristau Sat, 21 Apr 2012 11:21:07 +0200 + +libxpm (1:3.5.9-4) unstable; urgency=low + + * Exclude xpmutils from the debug package so it really is multi-arch safe + (closes: #646960). Thanks, Jakub Wilk! + * Don't require fakeroot for debian/rules clean. + * Replace the change from 1:3.5.9-3 with the equivalent fix committed + upstream. + + -- Julien Cristau Mon, 31 Oct 2011 16:41:44 +0100 + +libxpm (1:3.5.9-3) unstable; urgency=low + + * Apply patch from Ubuntu to fix build failure when using ld --no-add- + needed. Closes: #604494. + + -- Steve Langasek Fri, 21 Oct 2011 20:21:48 -0700 + +libxpm (1:3.5.9-2) unstable; urgency=low + + [ Cyril Brulebois ] + * Build xpm.pdf from xpm.PS.gz, and use debian/libxpm-dev.docs to + install it. That's the only available documentation we've got, so + let's ship it (Closes: #466081). + * Add ghostscript build-dep, for ps2pdf. + * Fix typo in long descriptions: specificied → specified. + + [ Julien Cristau ] + * Remove David from Uploaders. + * Drop Pre-Depends on x11-common, only needed for upgrades from the + monolith. + * Drop Replaces on xbase-clients 6.8.x. + + [ Steve Langasek ] + * Build for multiarch. + + -- Steve Langasek Fri, 21 Oct 2011 15:24:28 -0700 + +libxpm (1:3.5.9-1) unstable; urgency=low + + [ Julien Cristau ] + * Remove myself from Uploaders. + * Rename the build directory to not include DEB_BUILD_GNU_TYPE for no + good reason. Thanks, Colin Watson! + + [ Cyril Brulebois ] + * New upstrem release. + * Bump xutils-dev build-dep for new macros. + * Update debian/copyright from upstream COPYING. + * Drop debian/libxpm-dev.docs, xpm.PS is gone. + * Switch from --list-missing to --fail-missing for additional safety. + * Exclude libXpm.la from dh_install accordingly. + * Add myself to Uploaders. + + -- Cyril Brulebois Fri, 19 Nov 2010 10:59:03 +0100 + +libxpm (1:3.5.8-1) unstable; urgency=low + + [ Timo Aaltonen ] + * New upstream release. + * Bump the build-dep on xutils-dev (>= 1:7.5~1). + + [ Julien Cristau ] + * Bump Standards-Version to 3.8.3. + + -- Julien Cristau Wed, 25 Nov 2009 19:31:08 +0100 + +libxpm (1:3.5.7-2) unstable; urgency=low + + [ Julien Cristau ] + * Drop -1 debian revisions from build-deps. + * Bump Standards-Version to 3.7.3. + * Drop the XS- prefix from Vcs-* control fields. + * libxpm4{,-dbg} don't need to depend on x11-common. + * Add xpm.PS.gz to the -dev package (closes: #525551). + * Don't handle nostrip in DEB_BUILD_OPTIONS explicitly, dh_strip does the + right thing. + * Use filter instead of findstring to parse DEB_BUILD_OPTIONS in + debian/rules. + * Add README.source, bump Standards-Version to 3.8.1. + * Run autoreconf at build time. + * Allow parallel builds. + * Move -dbg package to new debug section. + * Don't pass -l and -L options to dh_shlibdeps, it seems to be useless + nowadays. + + [ Brice Goglin ] + * Add a link to www.X.org and a reference to the upstream module + in the long description. + + -- Julien Cristau Wed, 10 Jun 2009 14:59:30 +0200 + +libxpm (1:3.5.7-1) unstable; urgency=low + + * New upstream release. + * Add the upstream URL to debian/copyright. + * Use binary:Version instead of the deprecated Source-Version. + * Add myself to uploaders, and remove Branden with his permission. + + -- Julien Cristau Sat, 25 Aug 2007 10:50:50 +0200 + +libxpm (1:3.5.6-3) unstable; urgency=low + + * Put binary packages in the correct sections. + * Run dh_shlibdeps with -L libxpm4 -l debian/libxpm4/usr/lib so xpmutils + gets a dependency on libxpm4. Fixes bug noticed by checklib. + + -- Julien Cristau Mon, 21 May 2007 17:35:32 +0200 + +libxpm (1:3.5.6-2) unstable; urgency=low + + * Upload to unstable. + * Add XS-Vcs-Browser. + * Remove Fabio from Uploaders, with his permission. + + -- Julien Cristau Wed, 11 Apr 2007 16:31:32 +0200 + +libxpm (1:3.5.6-1) experimental; urgency=low + + * New upstream release. + * Add XS-Vcs-Git header to debian/control. + * Drop obsolete CVS information from the long descriptions. + * Install the upstream changelog. + + -- Julien Cristau Fri, 16 Feb 2007 16:24:44 +0100 + +libxpm (1:3.5.5-2) unstable; urgency=low + + [ Andres Salomon ] + * Test for obj-$(DEB_BUILD_GNU_TYPE) before creating it during build; + idempotency fix. + + [ Drew Parsons ] + * dbg package has priority extra. + + -- David Nusinow Wed, 30 Aug 2006 17:12:38 -0400 + +libxpm (1:3.5.5-1) experimental; urgency=low + + * New upstream release + * Run dh_install with --list-missing + * Bump debhelper compat to 5 + * Remove extra x11-common dep in the -dev package + * Version x11-common pre-dep in the -dev package to use 1:7.0.0 to match the + rest of Debian and shut lintian up + * Add the sxpm and cxpm manpages to xpm-utils + + -- David Nusinow Mon, 3 Jul 2006 19:23:49 -0400 + +libxpm (1:3.5.4.2-3) unstable; urgency=low + + * Reorder makeshlib command in rules file so that ldconfig is run + properly. Thanks Drew Parsons and Steve Langasek. + + -- David Nusinow Tue, 18 Apr 2006 21:50:00 -0400 + +libxpm (1:3.5.4.2-2) unstable; urgency=low + + * Upload to unstable + + -- David Nusinow Thu, 23 Mar 2006 22:45:13 -0500 + +libxpm (1:3.5.4.2-1) experimental; urgency=low + + * First upload to Debian + + -- David Nusinow Thu, 29 Dec 2005 20:54:06 -0500 + +libxpm (1:3.5.2-5) breezy; urgency=low + + * Add a Build-Depends on libxext-dev. For my next stunning move, I'll + actually pay attention to what I'm doing. + + -- Daniel Stone Sat, 23 Jul 2005 01:33:31 +1000 + +libxpm (1:3.5.2-4) breezy; urgency=low + + * Bump Build-Depends on libx11-dev, libxt-dev, libxext-dev and + x11proto-core-dev to avoid _XOPEN_SOURCE. + + -- Daniel Stone Sat, 23 Jul 2005 00:24:13 +1000 + +libxpm (1:3.5.2-3) breezy; urgency=low + + * Fix cat-walks-across-keyboard attack in debian/control. + + -- Daniel Stone Wed, 20 Jul 2005 21:18:57 +1000 + +libxpm (1:3.5.2-2) breezy; urgency=low + + * blah blah xpmutils Replaces: xbase-clients (<< 6.8.2-38) blah blah + + -- Daniel Stone Wed, 20 Jul 2005 18:45:27 +1000 + +libxpm (1:3.5.2-1) breezy; urgency=low + + * First libxpm release. + + -- Daniel Stone Mon, 16 May 2005 22:10:17 +1000 --- libxpm-3.5.12.orig/debian/compat +++ libxpm-3.5.12/debian/compat @@ -0,0 +1 @@ +10 --- libxpm-3.5.12.orig/debian/control +++ libxpm-3.5.12/debian/control @@ -0,0 +1,65 @@ +Source: libxpm +Section: x11 +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian X Strike Force +Build-Depends: + debhelper (>= 10), + quilt, + xutils-dev (>= 1:7.5+4), + libx11-dev (>= 1:0.99.2), + libxt-dev (>= 1:0.99.1-5), + x11proto-core-dev (>= 7.0.17), + libxext-dev (>= 1:0.99.1), + pkg-config, +Standards-Version: 3.9.8 +Homepage: https://www.x.org +Vcs-Git: https://anonscm.debian.org/git/pkg-xorg/lib/libxpm.git +Vcs-Browser: https://anonscm.debian.org/git/pkg-xorg/lib/libxpm.git + +Package: libxpm4 +Section: libs +Architecture: any +Multi-Arch: same +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${shlibs:Depends}, + ${misc:Depends}, +Description: X11 pixmap library + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package provides runtime support for XPM format. + +Package: libxpm-dev +Section: libdevel +Architecture: any +Multi-Arch: same +Depends: + ${shlibs:Depends}, + ${misc:Depends}, + libxpm4 (= ${binary:Version}), + libx11-dev, + x11proto-core-dev, +Description: X11 pixmap library (development headers) + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package contains the development headers for the libxpm4 library. + Non-developers likely have little use for this package. + +Package: xpmutils +Architecture: any +Pre-Depends: ${misc:Pre-Depends} +Depends: + ${shlibs:Depends}, + ${misc:Depends}, +Description: X11 pixmap utilities + The X PixMap image format is an extension of the monochrome X BitMap + format specified in the X protocol, and is commonly used in traditional + X applications. + . + This package provides two tools: cxpm (to check the integrity of an + XPM file) and sxpm (to view XPM files). --- libxpm-3.5.12.orig/debian/copyright +++ libxpm-3.5.12/debian/copyright @@ -0,0 +1,71 @@ +This package was downloaded from +https://xorg.freedesktop.org/releases/individual/lib/ + +Copyright (C) 1989-95 GROUPE BULL + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +GROUPE BULL BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of GROUPE BULL shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from GROUPE BULL. + +Copyright (C) 1998 Arnaud LE HORS + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Arnaud LE HORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Arnaud LE HORS shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Arnaud LE HORS. + +Copyright (C) 19896 Lorens Younes + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +Lorens Younes BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Lorens Younes shall not be +used in advertising or otherwise to promote the sale, use or other dealings +in this Software without prior written authorization from Lorens Younes. --- libxpm-3.5.12.orig/debian/libxpm-dev.docs +++ libxpm-3.5.12/debian/libxpm-dev.docs @@ -0,0 +1 @@ +doc/xpm.PS.gz --- libxpm-3.5.12.orig/debian/libxpm-dev.install +++ libxpm-3.5.12/debian/libxpm-dev.install @@ -0,0 +1,4 @@ +usr/include/X11/* +usr/lib/*/libXpm.a +usr/lib/*/libXpm.so +usr/lib/*/pkgconfig/xpm.pc --- libxpm-3.5.12.orig/debian/libxpm-dev.lintian-overrides +++ libxpm-3.5.12/debian/libxpm-dev.lintian-overrides @@ -0,0 +1,2 @@ +# we don't touch it, so it's the same on all archs +gzip-file-is-not-multi-arch-same-safe usr/share/doc/libxpm-dev/xpm.PS.gz --- libxpm-3.5.12.orig/debian/libxpm4.install +++ libxpm-3.5.12/debian/libxpm4.install @@ -0,0 +1 @@ +usr/lib/*/libXpm.so.4* --- libxpm-3.5.12.orig/debian/patches/CVE-2022-44617-1.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-44617-1.patch @@ -0,0 +1,144 @@ +From 198839ca64dc117b35339f38c83d483ab6b561b6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 7 Jan 2023 12:44:28 -0800 +Subject: [PATCH libXpm 4/5] Fix CVE-2022-44617: Runaway loop with width of 0 + and enormous height + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +image has a width of 0 and a very large height, the ParsePixels() function +will loop over the entire height calling getc() and ungetc() repeatedly, +or in some circumstances, may loop seemingly forever, which may cause a +denial of service to the calling program when given a small crafted XPM +file to parse. + +Closes: #2 + +Reported-by: Martin Ettl +Signed-off-by: Alan Coopersmith +--- + src/data.c | 20 ++++++++++++++------ + src/parse.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 41 insertions(+), 10 deletions(-) + +--- a/src/data.c ++++ b/src/data.c +@@ -191,19 +191,23 @@ xpmNextString(xpmData *data) + register char c; + + /* get to the end of the current string */ +- if (data->Eos) +- while ((c = *data->cptr++) && c != data->Eos); ++ if (data->Eos) { ++ while ((c = *data->cptr++) && c != data->Eos && c != '\0'); ++ ++ if (c == '\0') ++ return XpmFileInvalid; ++ } + + /* + * then get to the beginning of the next string looking for possible + * comment + */ + if (data->Bos) { +- while ((c = *data->cptr++) && c != data->Bos) ++ while ((c = *data->cptr++) && c != data->Bos && c != '\0') + if (data->Bcmt && c == data->Bcmt[0]) + ParseComment(data); + } else if (data->Bcmt) { /* XPM2 natural */ +- while ((c = *data->cptr++) == data->Bcmt[0]) ++ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0') + ParseComment(data); + data->cptr--; + } +@@ -212,9 +216,13 @@ xpmNextString(xpmData *data) + FILE *file = data->stream.file; + + /* get to the end of the current string */ +- if (data->Eos) ++ if (data->Eos) { + while ((c = Getc(data, file)) != data->Eos && c != EOF); + ++ if (c == EOF) ++ return XpmFileInvalid; ++ } ++ + /* + * then get to the beginning of the next string looking for possible + * comment +@@ -230,7 +238,7 @@ xpmNextString(xpmData *data) + Ungetc(data, c, file); + } + } +- return 0; ++ return XpmSuccess; + } + + +--- a/src/parse.c ++++ b/src/parse.c +@@ -391,6 +391,13 @@ ParsePixels( + { + unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */ + unsigned int a, x, y; ++ int ErrorStatus; ++ ++ if ((width == 0) && (height != 0)) ++ return (XpmFileInvalid); ++ ++ if ((height == 0) && (width != 0)) ++ return (XpmFileInvalid); + + if ((height > 0 && width >= UINT_MAX / height) || + width * height >= UINT_MAX / sizeof(unsigned int)) +@@ -428,7 +435,11 @@ ParsePixels( + colidx[(unsigned char)colorTable[a].string[0]] = a + 1; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int c = xpmGetC(data); + +@@ -475,7 +486,11 @@ do \ + } + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + int cc1 = xpmGetC(data); + if (cc1 > 0 && cc1 < 256) { +@@ -515,7 +530,11 @@ do \ + xpmHashAtom *slot; + + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); +@@ -535,7 +554,11 @@ do \ + } + } else { + for (y = 0; y < height; y++) { +- xpmNextString(data); ++ ErrorStatus = xpmNextString(data); ++ if (ErrorStatus != XpmSuccess) { ++ XpmFree(iptr2); ++ return (ErrorStatus); ++ } + for (x = 0; x < width; x++, iptr++) { + for (a = 0, s = buf; a < cpp; a++, s++) { + int c = xpmGetC(data); --- libxpm-3.5.12.orig/debian/patches/CVE-2022-44617-2.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-44617-2.patch @@ -0,0 +1,39 @@ +From 1b01c4424bec256116f8e8283430eb241e3f5d99 Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb +Date: Thu, 12 Jan 2023 15:05:39 +1000 +Subject: [PATCH libXpm] Prevent a double free in the error code path + +xpmParseDataAndCreate() calls XDestroyImage() in the error path. +Reproducible with sxpm "zero-width.xpm", that file is in the test/ +directory. + +The same approach is needed in the bytes_per_line == 0 condition though +here it just plugs a memory leak. +--- + src/create.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/create.c b/src/create.c +index 4a85c78..f92ffef 100644 +--- a/src/create.c ++++ b/src/create.c +@@ -994,11 +994,15 @@ CreateXImage( + #if !defined(FOR_MSW) && !defined(AMIGA) + if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) { + XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; + } + /* now that bytes_per_line must have been set properly alloc data */ +- if((*image_return)->bytes_per_line == 0 || height == 0) ++ if((*image_return)->bytes_per_line == 0 || height == 0) { ++ XDestroyImage(*image_return); ++ *image_return = NULL; + return XpmNoMemory; ++ } + (*image_return)->data = + (char *) XpmMalloc((*image_return)->bytes_per_line * height); + +-- +2.39.0 + --- libxpm-3.5.12.orig/debian/patches/CVE-2022-46285.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-46285.patch @@ -0,0 +1,37 @@ +From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 17 Dec 2022 12:23:45 -0800 +Subject: [PATCH libXpm 2/5] Fix CVE-2022-46285: Infinite loop on unclosed + comments + +When reading XPM images from a file with libXpm 3.5.14 or older, if a +comment in the file is not closed (i.e. a C-style comment starts with +"/*" and is missing the closing "*/"), the ParseComment() function will +loop forever calling getc() to try to read the rest of the comment, +failing to notice that it has returned EOF, which may cause a denial of +service to the calling program. + +Reported-by: Marco Ivaldi +Signed-off-by: Alan Coopersmith +--- + src/data.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/data.c b/src/data.c +index 898889c..bfad4ff 100644 +--- a/src/data.c ++++ b/src/data.c +@@ -174,6 +174,10 @@ ParseComment(xpmData *data) + notend = 0; + Ungetc(data, *s, file); + } ++ else if (c == EOF) { ++ /* hit end of file before the end of the comment */ ++ return XpmFileInvalid; ++ } + } + return 0; + } +-- +2.15.2 + --- libxpm-3.5.12.orig/debian/patches/CVE-2022-4883.patch +++ libxpm-3.5.12/debian/patches/CVE-2022-4883.patch @@ -0,0 +1,87 @@ +Simplified backport of: + +From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on + $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +--- + README.md | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/uncompress", "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/gzip", "-dqc", "r"); + } + else + #endif /* z-files */ +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -336,10 +336,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/compress", NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, "/usr/bin/gzip", "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif --- libxpm-3.5.12.orig/debian/patches/series +++ libxpm-3.5.12/debian/patches/series @@ -0,0 +1,5 @@ +# placeholder +CVE-2022-44617-1.patch +CVE-2022-44617-2.patch +CVE-2022-46285.patch +CVE-2022-4883.patch --- libxpm-3.5.12.orig/debian/rules +++ libxpm-3.5.12/debian/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +%: + dh $@ --with quilt --builddirectory=build/ + +override_dh_install: + dh_install --fail-missing -XlibXpm.la --- libxpm-3.5.12.orig/debian/upstream/signing-key.asc +++ libxpm-3.5.12/debian/upstream/signing-key.asc @@ -0,0 +1,64 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFeKY50BEADAX0lod3IVceb/IWJn3kTAcO2P7PWlcBiyUDaq5b2kFkliKleZ +ec4LoCHakQBlkRBMPNwOOxvADNk3tLQjBDpbYr6lQIrN+AxMGkXBhJ82T3bsDvlj +3Z1wRJ1zVA7eMIktsk0FAoJxV1y7e3sBKcP0eTlXqXvR2djhi+FW+ueJDAJIFSkb +uFirgwtX5t8nt8jCmIl75KNUKOakoENY3hLWtr16W8fO1JGkEhghI2mXcz664KTd +MPZp6JH0/8UHTHzmATOCTqNxoDtMTi2l5059Lh/nhmso9moTYqyKmaJP2rnZUr62 +97sRMG4WcxaYfWpPyO3MCmDyGeh4sW0OC06PpED3i9xMzf/kMkMdY4ZIFcLRcPtf +LIJhw+lc/GE1Rqe961IB5xCgnZezB7ZIL+ZlOAMwKGkq7lLbcZr2QZn84lpABKF0 +AvxECoJ4etmIcdbDVmsw18AhA3u9sr98hS5IXDyeos3Xwz6Abml8aPrhqhkKvo+J +Kcq9FNYHg0RRlos0TqocjDzGnUjEYrmIopLcwIu2SnsNSJTygZGtqrpT+2sGEqvm +k6Oyk95QCa580zqldvxe3CG0vrAfPvoG7irllM68TS4JcqqDHTq6eupUv9ZdIzXf +eyTHa5cytGahgVtUcui1lzqcCBkqwN8TKl+0wCcEnxRasHJy3A2Gp+AG3wARAQAB +tCJNYXR0aGlldSBIZXJyYiA8bWF0dGhpZXVAaGVycmIuZXU+iQI+BBMBAgAoBQJX +imOdAhsDBQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo ++PF1EACldzZPNYaC9H5E9sMn9pMsJTucBYVUy74Aw6MWAiAzRpxb9DmySmC2oEYW +JJkwDTwv6M0Na0ed6zD79GKtAalORz2GppZpS7uoINClElWoM5TCYph6linyv9Wj +OTlcbpX0Jqw0tdHNI2UOEjvBP3vW9kVYpEhfnHET8Ncp55j1hzoqxOhGIBE/67zc +cLAenONAvA3YN3tHTGaOaFv+vuCFRJx9FpKbGHmdUPd3MtLqtaA4EQvDvDEholEI +eWrjmdXJibSet6Amc5AIdFaQevZiADjjMh8MINw/6OEy9OB4s+z1RzgOrHgLiIZm +dlP6WrNjXQwl2gmNPhctGaSHM+j2+3gckNGlI4LQYxNtKvI4iv/CoHDYmwgrcrZO +TwFHfqt0LwqjpsU203Hw609oWYcxLeGZdITBjDz20UcfsmKQDqrBq3P1FuC5GBW3 +5bEa3wAhyE+/WKhJ94bXiHmpKsp50va3bEe17uQcYd8+E8L53aR7XP87qaHx//Mu ++OQa5Wc2d1OFHf1Mi62nbzr7pws/Mf7OSf/tnhRthuwtlfYnsUVo8usUKL/xStqo +Ul4kc/Q81AlyaZfr7dbxsQWm2q3ksLaMaAxnk0p+kMXVzXZ9GKNOgUOJdbahORs5 +RU2f44xzfNavb63u3McADtaXskl+KHB4uDbGbGESVhm5PULk37QnTWF0dGhpZXUg +SGVycmIgPG1hdHRoaWV1LmhlcnJiQGxhYXMuZnI+iQI+BBMBAgAoBQJXlJ63AhsD +BQkDwmcABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoc5PuN9Eo+PKID/wM +II+2d11clp1X7eZgkxkAHUhI2W3NSesuFnjkkQRKQoVMokDdeSOkBhMJuWoFfbZk +jYs2VHU9029rDqcoDSqGwo2IffvrXXJ4SjOTjlvXS1lr/H2VdWRbq8ImnDwSsoiD +dWB3dZyqzf7ABKZ7ccA+NMSs6NxeEN/0+0sTJ386Zp480ByNX0uPqYSq5lX/VEke +nI8r02u2ZfuykhGkT0sM013VprfYLa+6HvF+QT9KfP220mqRbonaDkYvCxwjCMzd +rUmvyqw3VsooUpg/W/PmDNeShSuOxebaGnFyGTNvTarElCBdynFD01dqOecOqfY8 +gy+PJ1aF1qjmf+RQD/SZq+gvgyXqyBhJy7zgJnzzNWzDlUIw0ZOLyZxzFR7lRV79 +2mrGgczlQr5rLAgBy2pgwsCmP7nFx50r4ft2juugnQixoOBU/YfhBplM76EROaCc +MTs5nPEqzJ9p4SNkPcK8AroR2Ka3+f7t+XOoHpx/XhJOBYlPaUmoFkWKr0Y8BWWh +1nJxyFKrSNbwUgam8ypZzwzbI1vDiX8Ol6NpEeOLwzFNT0pyTdC9UN93M1VIyKWC +1vaeMogUREKT6SmDjRn3fISktZ0IGVf2AnFMhtgZ46TJO4BZgDdZAjTkZc/lP0yF +Nl6MpGwnaymmL50ckT77OdlfIcXFwvNPFwWlFPlcyrkCDQRXimOdARAA4otssvZm +sKg+g0bVyJHhn/YOHLYMih+Xf07xJHyalH0UCGnGdHZwl0B97G950SwQ7yVXtGa9 +CAPe97clE6dPD6jaumQ13BHavXM+ThgjCe8V56ayYcdzqFkxlCx0Uocoa63G0/cE +TiOqeqhNZs8JY+D7l83jCa4lU/1pLusbkCpCQ7d5/FFLz7QSihzJWp+UTsjbNik5 +spaseEMGFRKUcB3SZ/l1dTgc0wBQ1hlvLX+h4/sG0iUs1pVpo5ORC+bUfWRokl96 +uj5QZz5rY21FaNSP1rB1HKHNkwhxifBCHQMhYGTXvD7GH+JNyF2TdRmo7eBCfAPJ +aP3mX9t2SkCipdSsUs+Uuyib9MLA71ApW90AGiRm6HtOCxR0c3+qQRNIdFVm8mnM +hCxXRexf6Z2wZdXXy6uY0LVRgI0o31NPJPk8l2Hnb/kHGxjyUFzEWh65J/eA368d +4m8uF+Rr7WWlpQjwgWHU12kGThEVFFBFh2gmeIjYZdDDVhCi2mQ6lGSV2Pt7pZYL +/PPChWLBqrVBkIUQ0GV22nRYvGdaIv2LVPu8PggbPs/wwh35nJ3rUQyJF55CFV5y +WIWAWXfRYTKG9jkt+ncjZLEBxDO26zzO/MjIVPZxGyYryXEOgr6xp38xbyX9FpjL +KBaIueLWEyphVjBb1uUpDGx+UDYe9vbJjPUAEQEAAYkCJQQYAQIADwUCV4pjnQIb +DAUJA8JnAAAKCRBoc5PuN9Eo+D8dEACa60Q3ta6BWyHG0SOgfYGHE15LodACVHNI +N6Ou+JtmLarMW/AvPclNC25mxZV0ywLbun4CnJ9qYbt/Kx7djn48mrNa0rKN8Q+V +K5RvQA1kD890yzwu5jH6r5BQ8VBcfsPvsvatgbquzFn+NNiH9U4xRf/9BSY2Zk3G +yA15xG0T9zoklOMg8MWbeRaJPkDELyaHPWerbO7rebynePENSFPz3o3g+K9WcCM2 +xkEL571SmT4z3Mp/p0pwemWBCP2WoKCnSjAGiiHpCFru3SlZhRIvNJyK5jeS/IU6 +d5qeTBse6TXzp6Q4xkzACIN66P5SG/YY3/ONbfs6wB3lIkvVC9n7jEXjMK1T0fK8 +9DBDjzvAkJcKLLuIljjkMhRWSCED74sn+MlaWm0xMeo276EnaVILNcrHecSr8+eX +pVXSWEJ1+ErzZladJC+CrqUm0QljPV8Smtmk9MvOLHZ4qL4bI4Hu7MywuGNrLSol +qO0pAT1AjaYTRuH2MhZ6mJe/EtSl0EHXEkcDteE4jbYj3lwVhA1c/So0CdayImmD +/0tdqUfekw4va8PpbQ0wroL0XUvf3wl6HOhFhahWSqqb1fVr2slVttkaMb8M4MPt +Ka2m4qiiuGYivPIAVapSEA4DYc+krVqVXV/yDd3T7XcNtnClVo+rmOn5WiGq24am +79+hF4bWyw== +=WW1Z +-----END PGP PUBLIC KEY BLOCK----- --- libxpm-3.5.12.orig/debian/watch +++ libxpm-3.5.12/debian/watch @@ -0,0 +1,4 @@ +#git=git://anongit.freedesktop.org/xorg/lib/libXpm +version=3 +opts=pgpsigurlmangle=s/$/.sig/ \ +https://xorg.freedesktop.org/releases/individual/lib/ libXpm-(.*)\.tar\.gz --- libxpm-3.5.12.orig/debian/xpmutils.install +++ libxpm-3.5.12/debian/xpmutils.install @@ -0,0 +1,4 @@ +usr/bin/cxpm +usr/bin/sxpm +usr/share/man/man1/sxpm.1 +usr/share/man/man1/cxpm.1 --- libxpm-3.5.12.orig/sxpm/.gitignore +++ libxpm-3.5.12/sxpm/.gitignore @@ -0,0 +1,3 @@ +# Add & Override for this directory and it's subdirectories +sxpm +sxpm.po