Accepting request 1059036 from X11:XOrg

- U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
  * needed by U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
- U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
  * libXpm: Infinite loop on unclosed comments (CVE-2022-46285, 
    bsc#1207029)
- U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
  * libXpm: Runaway loop on width of 0 and enormous height 
    (CVE-2022-44617, bsc#1207030)
- U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
  * libXpm: compression commands depend on $PATH (CVE-2022-4883,
    bsc#1207031)
- U_regression-bug1207029_1207030_1207031.patch
  * regression fix for above patches
- U_regression2-bug1207029_1207030_1207031.patch
  * second regression fix: Use gzip -d instead of gunzip

OBS-URL: https://build.opensuse.org/request/show/1059036
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libXpm?expand=0&rev=12

U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch

@@ -0,0 +1,95 @@
+From 4841039e5385f264d12757903894f47c64f59361 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu, 5 Jan 2023 15:42:36 -0800
+Subject: [PATCH] configure: add --disable-open-zfile instead of requiring
+ -DNO_ZPIPE
+
+Documents the two compression options in the README, makes their
+configure options reflect the interdependency of their implementation,
+and makes the configure script report their configuration.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ README.md    | 15 +++++++++++++++
+ configure.ac | 36 +++++++++++++++++++++++-------------
+ 2 files changed, 38 insertions(+), 13 deletions(-)
+
+diff --git a/README.md b/README.md
+index adc83c8..7895350 100644
+--- a/README.md
++++ b/README.md
+@@ -16,3 +16,18 @@ For patch submission instructions, see:
+ 
+   https://www.x.org/wiki/Development/Documentation/SubmittingPatches
+ 
++------------------------------------------------------------------------------
++
++libXpm supports two optional features to handle compressed pixmap files.
++
++--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz
++and open a pipe to the appropriate command to compress the file when writing
++and uncompress the file when reading. This is enabled by default on platforms
++other than MinGW and can be disabled by passing the --disable-open-zfile flag
++to the configure script.
++
++--enable-stat-zfile make libXpm search for a file name with .Z or .gz added
++if it can't find the file it was asked to open.  It relies on the
++--enable-open-zfile feature to open the file, and is enabled by default
++when --enable-open-zfile is enabled, and can be disabled by passing the
++--disable-stat-zfile flag to the configure script.
+diff --git a/configure.ac b/configure.ac
+index 789a96e..1b64830 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then
+ fi
+ AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+ 
++# Optional feature: When a filename ending in .Z or .gz is requested,
++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
++# handle it.
++AC_MSG_CHECKING([whether to handle compressed pixmaps])
++case $host_os in
++        *mingw*)        zpipe_default="no" ;;
++        *)              zpipe_default="yes" ;;
++esac
++AC_ARG_ENABLE(open-zfile,
++        AS_HELP_STRING([--enable-open-zfile],
++                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
++              [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes])
++AC_MSG_RESULT([$OPEN_ZFILE])
++if test x$OPEN_ZFILE = xno ; then
++        AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
++fi
++
+ # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
+ # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
++AC_MSG_CHECKING([whether to search for compressed pixmaps])
+ AC_ARG_ENABLE(stat-zfile,
+-	AS_HELP_STRING([--enable-stat-zfile],
+-			[Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]),
+-              [STAT_ZFILE=$enableval], [STAT_ZFILE=yes])
++        AS_HELP_STRING([--enable-stat-zfile],
++                        [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
++              [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE])
++AC_MSG_RESULT([$STAT_ZFILE])
+ if test x$STAT_ZFILE = xyes ; then
+-	AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
++        AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
+ fi
+ 
+-
+-case $host_os in
+-	*mingw*)
+-                AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
+-	;;
+-	*)
+-	;;
+-esac
+-
+ AC_CONFIG_FILES([Makefile
+                  doc/Makefile
+                  include/Makefile
+-- 
+2.35.3
+

U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch

@@ -0,0 +1,37 @@
+From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 17 Dec 2022 12:23:45 -0800
+Subject: [PATCH libXpm 2/5] Fix CVE-2022-46285: Infinite loop on unclosed
+ comments
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+comment in the file is not closed (i.e. a C-style comment starts with
+"/*" and is missing the closing "*/"), the ParseComment() function will
+loop forever calling getc() to try to read the rest of the comment,
+failing to notice that it has returned EOF, which may cause a denial of
+service to the calling program.
+
+Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/data.c b/src/data.c
+index 898889c..bfad4ff 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
+ 		notend = 0;
+ 		Ungetc(data, *s, file);
+ 	    }
++	    else if (c == EOF) {
++		/* hit end of file before the end of the comment */
++		return XpmFileInvalid;
++	    }
+ 	}
+ 	return 0;
+     }
+-- 
+2.15.2
+

U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch

@@ -0,0 +1,151 @@
+From 198839ca64dc117b35339f38c83d483ab6b561b6 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 7 Jan 2023 12:44:28 -0800
+Subject: [PATCH libXpm 4/5] Fix CVE-2022-44617: Runaway loop with width of 0
+ and enormous height
+
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+image has a width of 0 and a very large height, the ParsePixels() function
+will loop over the entire height calling getc() and ungetc() repeatedly,
+or in some circumstances, may loop seemingly forever, which may cause a
+denial of service to the calling program when given a small crafted XPM
+file to parse.
+
+Closes: #2
+
+Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c  | 20 ++++++++++++++------
+ src/parse.c | 31 +++++++++++++++++++++++++++----
+ 2 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/src/data.c b/src/data.c
+index bfad4ff..7524e65 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -195,19 +195,23 @@ xpmNextString(xpmData *data)
+ 	register char c;
+ 
+ 	/* get to the end of the current string */
+-	if (data->Eos)
+-	    while ((c = *data->cptr++) && c != data->Eos);
++	if (data->Eos) {
++	    while ((c = *data->cptr++) && c != data->Eos && c != '\0');
++
++	    if (c == '\0')
++		return XpmFileInvalid;
++	}
+ 
+ 	/*
+ 	 * then get to the beginning of the next string looking for possible
+ 	 * comment
+ 	 */
+ 	if (data->Bos) {
+-	    while ((c = *data->cptr++) && c != data->Bos)
++	    while ((c = *data->cptr++) && c != data->Bos && c != '\0')
+ 		if (data->Bcmt && c == data->Bcmt[0])
+ 		    ParseComment(data);
+ 	} else if (data->Bcmt) {	/* XPM2 natural */
+-	    while ((c = *data->cptr++) == data->Bcmt[0])
++	    while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
+ 		ParseComment(data);
+ 	    data->cptr--;
+ 	}
+@@ -216,9 +220,13 @@ xpmNextString(xpmData *data)
+ 	FILE *file = data->stream.file;
+ 
+ 	/* get to the end of the current string */
+-	if (data->Eos)
++	if (data->Eos) {
+ 	    while ((c = Getc(data, file)) != data->Eos && c != EOF);
+ 
++	    if (c == EOF)
++		return XpmFileInvalid;
++	}
++
+ 	/*
+ 	 * then get to the beginning of the next string looking for possible
+ 	 * comment
+@@ -234,7 +242,7 @@ xpmNextString(xpmData *data)
+ 	    Ungetc(data, c, file);
+ 	}
+     }
+-    return 0;
++    return XpmSuccess;
+ }
+ 
+ 
+diff --git a/src/parse.c b/src/parse.c
+index 037fc66..64f51ba 100644
+--- a/src/parse.c
++++ b/src/parse.c
+@@ -427,6 +427,13 @@ ParsePixels(
+ {
+     unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
+     unsigned int a, x, y;
++    int ErrorStatus;
++
++    if ((width == 0) && (height != 0))
++	return (XpmFileInvalid);
++
++    if ((height == 0) && (width != 0))
++	return (XpmFileInvalid);
+ 
+     if ((height > 0 && width >= UINT_MAX / height) ||
+ 	width * height >= UINT_MAX / sizeof(unsigned int))
+@@ -464,7 +471,11 @@ ParsePixels(
+ 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
+ 
+ 	    for (y = 0; y < height; y++) {
+-		xpmNextString(data);
++		ErrorStatus = xpmNextString(data);
++		if (ErrorStatus != XpmSuccess) {
++		    XpmFree(iptr2);
++		    return (ErrorStatus);
++		}
+ 		for (x = 0; x < width; x++, iptr++) {
+ 		    int c = xpmGetC(data);
+ 
+@@ -511,7 +522,11 @@ do \
+ 	    }
+ 
+ 	    for (y = 0; y < height; y++) {
+-		xpmNextString(data);
++		ErrorStatus = xpmNextString(data);
++		if (ErrorStatus != XpmSuccess) {
++		    XpmFree(iptr2);
++		    return (ErrorStatus);
++		}
+ 		for (x = 0; x < width; x++, iptr++) {
+ 		    int cc1 = xpmGetC(data);
+ 		    if (cc1 > 0 && cc1 < 256) {
+@@ -551,7 +566,11 @@ do \
+ 		xpmHashAtom *slot;
+ 
+ 		for (y = 0; y < height; y++) {
+-		    xpmNextString(data);
++		    ErrorStatus = xpmNextString(data);
++		    if (ErrorStatus != XpmSuccess) {
++			XpmFree(iptr2);
++			return (ErrorStatus);
++		    }
+ 		    for (x = 0; x < width; x++, iptr++) {
+ 			for (a = 0, s = buf; a < cpp; a++, s++) {
+ 			    int c = xpmGetC(data);
+@@ -571,7 +590,11 @@ do \
+ 		}
+ 	    } else {
+ 		for (y = 0; y < height; y++) {
+-		    xpmNextString(data);
++		    ErrorStatus = xpmNextString(data);
++		    if (ErrorStatus != XpmSuccess) {
++			XpmFree(iptr2);
++			return (ErrorStatus);
++		    }
+ 		    for (x = 0; x < width; x++, iptr++) {
+ 			for (a = 0, s = buf; a < cpp; a++, s++) {
+ 			    int c = xpmGetC(data);
+-- 
+2.15.2
+

U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch

@@ -0,0 +1,141 @@
+From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Jan 2023 12:50:48 -0800
+Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on
+ $PATH
+
+By default, on all platforms except MinGW, libXpm will detect if a
+filename ends in .Z or .gz, and will when reading such a file fork off
+an uncompress or gunzip command to read from via a pipe, and when
+writing such a file will fork off a compress or gzip command to write
+to via a pipe.
+
+In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
+to find the commands.  If libXpm is called from a program running with
+raised privileges, such as via setuid, then a malicious user could set
+$PATH to include programs of their choosing to be run with those
+privileges.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ README.md    | 12 ++++++++++++
+ configure.ac | 14 ++++++++++++++
+ src/RdFToI.c | 17 ++++++++++++++---
+ src/WrFFrI.c |  4 ++--
+ 4 files changed, 42 insertions(+), 5 deletions(-)
+
+Index: libXpm-3.5.14/README.md
+===================================================================
+--- libXpm-3.5.14.orig/README.md
++++ libXpm-3.5.14/README.md
+@@ -31,3 +31,15 @@ if it can't find the file it was asked t
+ --enable-open-zfile feature to open the file, and is enabled by default
+ when --enable-open-zfile is enabled, and can be disabled by passing the
+ --disable-stat-zfile flag to the configure script.
++
++All of these commands will be executed with whatever userid & privileges the
++function is called with, relying on the caller to ensure the correct euid,
++egid, etc. are set before calling.
++
++To reduce risk, the paths to these commands are now set at configure time to
++the first version found in the PATH used to run configure, and do not depend
++on the PATH environment variable set at runtime.
++
++To specify paths to be used for these commands instead of searching $PATH, pass
++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
++variables to the configure command.
+Index: libXpm-3.5.14/configure.ac
+===================================================================
+--- libXpm-3.5.14.orig/configure.ac
++++ libXpm-3.5.14/configure.ac
+@@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
+ fi
+ AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+ 
++dnl Helper macro to find absolute path to program and add a #define for it
++AC_DEFUN([XPM_PATH_PROG],[
++AC_PATH_PROG([$1], [$2], [])
++AS_IF([test "x$$1" = "x"],
++      [AC_MSG_ERROR([$2 not found, set $1 or use --disable-open-zfile])])
++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
++]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
++
+ # Optional feature: When a filename ending in .Z or .gz is requested,
+ # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
+ # handle it.
+@@ -64,6 +72,11 @@ AC_ARG_ENABLE(open-zfile,
+ AC_MSG_RESULT([$OPEN_ZFILE])
+ if test x$OPEN_ZFILE = xno ; then
+         AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
++else
++        XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
++        XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
++        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
++        AC_CHECK_FUNCS([closefrom close_range], [break])
+ fi
+ 
+ # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
+Index: libXpm-3.5.14/src/RdFToI.c
+===================================================================
+--- libXpm-3.5.14.orig/src/RdFToI.c
++++ libXpm-3.5.14/src/RdFToI.c
+@@ -43,6 +43,7 @@
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <unistd.h>
+ #else
+ #ifdef FOR_MSW
+ #include <fcntl.h>
+@@ -161,7 +162,17 @@ xpmPipeThrough(
+ 	    goto err;
+ 	if ( 0 == pid )
+ 	{
+-	    execlp(cmd, cmd, arg1, (char *)NULL);
++#ifdef HAVE_CLOSEFROM
++	    closefrom(3);
++#elif defined(HAVE_CLOSE_RANGE)
++# ifdef CLOSE_RANGE_UNSHARE
++#  define close_range_flags CLOSE_RANGE_UNSHARE
++# else
++#  define close_range_flags 0
++#endif
++	    close_range(3, ~0U, close_range_flags);
++#endif
++	    execl(cmd, cmd, arg1, (char *)NULL);
+ 	    perror(cmd);
+ 	    goto err;
+ 	}
+@@ -235,12 +246,12 @@ OpenReadFile(
+ 	if ( ext && !strcmp(ext, ".Z") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
+ 	}
+ 	else if ( ext && !strcmp(ext, ".gz") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
+ 	}
+ 	else
+ #endif /* z-files */
+Index: libXpm-3.5.14/src/WrFFrI.c
+===================================================================
+--- libXpm-3.5.14.orig/src/WrFFrI.c
++++ libXpm-3.5.14/src/WrFFrI.c
+@@ -342,10 +342,10 @@ OpenWriteFile(
+ #ifndef NO_ZPIPE
+ 	len = strlen(filename);
+ 	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
+-	    mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
+-	    mdata->type = XPMPIPE;
++	    /* No compress program available (any longer?) on Linux */
++	    mdata->stream.file = NULL;
+ 	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
+-	    mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
+ 	    mdata->type = XPMPIPE;
+ 	} else
+ #endif

U_regression-bug1207029_1207030_1207031.patch

@@ -0,0 +1,24 @@
+@@ -, +, @@ 
+---
+ src/create.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+--- a/src/create.c	
++++ a/src/create.c	
+@@ -994,11 +994,15 @@ CreateXImage(
+ #if !defined(FOR_MSW) && !defined(AMIGA)
+     if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
+ 	XDestroyImage(*image_return);
++	*image_return = NULL;
+ 	return XpmNoMemory;
+     }
+     /* now that bytes_per_line must have been set properly alloc data */
+-    if((*image_return)->bytes_per_line == 0 ||  height == 0)
++    if((*image_return)->bytes_per_line == 0 ||  height == 0) {
++	XDestroyImage(*image_return);
++	*image_return = NULL;
+     	return XpmNoMemory;
++    }
+     (*image_return)->data =
+ 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
+ 
+-- 

U_regression2-bug1207029_1207030_1207031.patch

@@ -0,0 +1,66 @@
+From 8178eb0834d82242e1edbc7d4fb0d1b397569c68 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 16 Jan 2023 19:44:52 +1000
+Subject: [PATCH libXpm 7/7] Use gzip -d instead of gunzip
+
+GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
+/usr/bin/gunzip with the correct built-in path, the actual gzip call
+will use whichever gzip it finds first, making our patch pointless.
+
+Fix this by explicitly calling gzip -d instead.
+
+https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
+
+[Part of the fix for CVE-2022-4883]
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ README.md    | 2 +-
+ configure.ac | 3 +--
+ src/RdFToI.c | 2 +-
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+Index: libXpm-3.5.14/README.md
+===================================================================
+--- libXpm-3.5.14.orig/README.md
++++ libXpm-3.5.14/README.md
+@@ -41,5 +41,5 @@ the first version found in the PATH used
+ on the PATH environment variable set at runtime.
+ 
+ To specify paths to be used for these commands instead of searching $PATH, pass
+-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP
+ variables to the configure command.
+Index: libXpm-3.5.14/configure.ac
+===================================================================
+--- libXpm-3.5.14.orig/configure.ac
++++ libXpm-3.5.14/configure.ac
+@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path
+ ]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
+ 
+ # Optional feature: When a filename ending in .Z or .gz is requested,
+-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
++# open a pipe to a newly forked compress/uncompress/gzip command to
+ # handle it.
+ AC_MSG_CHECKING([whether to handle compressed pixmaps])
+ case $host_os in
+@@ -75,7 +75,6 @@ if test x$OPEN_ZFILE = xno ; then
+ else
+         XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
+         XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
+-        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
+         AC_CHECK_FUNCS([closefrom close_range], [break])
+ fi
+ 
+Index: libXpm-3.5.14/src/RdFToI.c
+===================================================================
+--- libXpm-3.5.14.orig/src/RdFToI.c
++++ libXpm-3.5.14/src/RdFToI.c
+@@ -251,7 +251,7 @@ OpenReadFile(
+ 	else if ( ext && !strcmp(ext, ".gz") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r");
+ 	}
+ 	else
+ #endif /* z-files */

libXpm.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Jan 11 13:49:26 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
+
+- U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
+  * needed by U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+- U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
+  * libXpm: Infinite loop on unclosed comments (CVE-2022-46285, 
+    bsc#1207029)
+- U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
+  * libXpm: Runaway loop on width of 0 and enormous height 
+    (CVE-2022-44617, bsc#1207030)
+- U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+  * libXpm: compression commands depend on $PATH (CVE-2022-4883,
+    bsc#1207031)
+- U_regression-bug1207029_1207030_1207031.patch
+  * regression fix for above patches
+- U_regression2-bug1207029_1207030_1207031.patch
+  * second regression fix: Use gzip -d instead of gunzip
+
 -------------------------------------------------------------------
 Sun Nov 20 22:52:35 UTC 2022 - Stefan Dirsch <sndirsch@suse.com>
 

libXpm.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libXpm
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,9 +29,19 @@ URL:            http://xorg.freedesktop.org/
 #Git-Web:	http://cgit.freedesktop.org/xorg/lib/libXpm/
 Source:         http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.xz
 Source1:        baselibs.conf
+Patch1207001:   U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
+Patch1207029:   U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
+Patch1207030:   U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
+Patch1207031:   U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
+Patch1207129:   U_regression-bug1207029_1207030_1207031.patch
+Patch1207130:   U_regression2-bug1207029_1207030_1207031.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #git#BuildRequires:	autoconf >= 2.60, automake, libtool
 BuildRequires:  pkgconfig
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gzip
+BuildRequires:  libtool
 BuildRequires:  pkgconfig(x11)
 BuildRequires:  pkgconfig(xext)
 BuildRequires:  pkgconfig(xextproto)
@@ -80,8 +90,15 @@ regard to its format.
 
 %prep
 %setup -q
+%patch1207001 -p1
+%patch1207029 -p1
+%patch1207030 -p1
+%patch1207031 -p1
+%patch1207129 -p1
+%patch1207130 -p1
 
 %build
+autoreconf -fi
 %configure --disable-static
 make %{?_smp_mflags}