rpm/libXpm
SHA256
1
0
Fork 0
forked from pool/libXpm
Code Pull Requests Activity

Accepting request 1077087 from X11:XOrg

Browse Source 
- n_no-compress-on-sle.patch
  * we can't handle .Z files, since we don't have ncompress package
    on SLE; so disable this feature as before (bsc#1207031)
- BuildRequires
  * removed again ncompress
  * added again autoconf, automake, libtool
- run again autoreconf due to patch above

- update to 3.5.15:  
  * Use gzip -d instead of gunzip
  * Prevent a double free in the error code path
  * Fix CVE-2022-4883: compression commands depend on $PATH
  * Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
  * test: add test cases for CVE-2022-44617 (zero-width w/enormous height)
  * Fix CVE-2022-46285: Infinite loop on unclosed comments
  * test: add test case for CVE-2022-46285 (unclosed comments)
  * cxpm: getc/ungetc wrappers should not adjust position when c == EOF
  * test: Add unit tests using glib framework
  * configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE
  * man pages: Apply standard man page style/formatting
  * man pages: Replace "See Also" entries with more useful ones
  * man pages: Fix typos and other minor editing
- drop U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch,
      U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch,
      U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch,
      U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch,
      U_regression-bug1207029_1207030_1207031.patch
      U_regression2-bug1207029_1207030_1207031.patch: upstream
- switch urls to https
- spec file cleanups

OBS-URL: https://build.opensuse.org/request/show/1077087
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libXpm?expand=0&rev=13
This commit is contained in:
Dominique Leuenberger 2023-04-06 13:55:34 +00:00 committed by Git OBS Bridge
commit aa7da3731e
13 changed files with 208 additions and 566 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
View File

@ -1,95 +0,0 @@
From 4841039e5385f264d12757903894f47c64f59361 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu, 5 Jan 2023 15:42:36 -0800
Subject: [PATCH] configure: add --disable-open-zfile instead of requiring
-DNO_ZPIPE
Documents the two compression options in the README, makes their
configure options reflect the interdependency of their implementation,
and makes the configure script report their configuration.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
README.md | 15 +++++++++++++++
configure.ac | 36 +++++++++++++++++++++++-------------
2 files changed, 38 insertions(+), 13 deletions(-)
diff --git a/README.md b/README.md
index adc83c8..7895350 100644
--- a/README.md
+++ b/README.md
@@ -16,3 +16,18 @@ For patch submission instructions, see:
https://www.x.org/wiki/Development/Documentation/SubmittingPatches
+------------------------------------------------------------------------------
+
+libXpm supports two optional features to handle compressed pixmap files.
+
+--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz
+and open a pipe to the appropriate command to compress the file when writing
+and uncompress the file when reading. This is enabled by default on platforms
+other than MinGW and can be disabled by passing the --disable-open-zfile flag
+to the configure script.
+
+--enable-stat-zfile make libXpm search for a file name with .Z or .gz added
+if it can't find the file it was asked to open. It relies on the
+--enable-open-zfile feature to open the file, and is enabled by default
+when --enable-open-zfile is enabled, and can be disabled by passing the
+--disable-stat-zfile flag to the configure script.
diff --git a/configure.ac b/configure.ac
index 789a96e..1b64830 100644
--- a/configure.ac
+++ b/configure.ac
@@ -49,25 +49,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then
fi
AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+# Optional feature: When a filename ending in .Z or .gz is requested,
+# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
+# handle it.
+AC_MSG_CHECKING([whether to handle compressed pixmaps])
+case $host_os in
+ *mingw*) zpipe_default="no" ;;
+ *) zpipe_default="yes" ;;
+esac
+AC_ARG_ENABLE(open-zfile,
+ AS_HELP_STRING([--enable-open-zfile],
+ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
+ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes])
+AC_MSG_RESULT([$OPEN_ZFILE])
+if test x$OPEN_ZFILE = xno ; then
+ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
+fi
+
# Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
# Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
+AC_MSG_CHECKING([whether to search for compressed pixmaps])
AC_ARG_ENABLE(stat-zfile,
- AS_HELP_STRING([--enable-stat-zfile],
- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]),
- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes])
+ AS_HELP_STRING([--enable-stat-zfile],
+ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]),
+ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE])
+AC_MSG_RESULT([$STAT_ZFILE])
if test x$STAT_ZFILE = xyes ; then
- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
+ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions])
fi
-
-case $host_os in
- *mingw*)
- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
- ;;
- *)
- ;;
-esac
-
AC_CONFIG_FILES([Makefile
doc/Makefile
include/Makefile
--
2.35.3

37
U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
View File

@ -1,37 +0,0 @@
From 4636007dd4cebca8ee10738a7833f629d8687529 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 17 Dec 2022 12:23:45 -0800
Subject: [PATCH libXpm 2/5] Fix CVE-2022-46285: Infinite loop on unclosed
comments
When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.
Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/data.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/data.c b/src/data.c
index 898889c..bfad4ff 100644
--- a/src/data.c
+++ b/src/data.c
@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
notend = 0;
Ungetc(data, *s, file);
}
+ else if (c == EOF) {
+ /* hit end of file before the end of the comment */
+ return XpmFileInvalid;
+ }
}
return 0;
}
--
2.15.2

151
U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
View File

@ -1,151 +0,0 @@
From 198839ca64dc117b35339f38c83d483ab6b561b6 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 7 Jan 2023 12:44:28 -0800
Subject: [PATCH libXpm 4/5] Fix CVE-2022-44617: Runaway loop with width of 0
and enormous height
When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a
denial of service to the calling program when given a small crafted XPM
file to parse.
Closes: #2
Reported-by: Martin Ettl <ettl.martin78@googlemail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/data.c | 20 ++++++++++++++------
src/parse.c | 31 +++++++++++++++++++++++++++----
2 files changed, 41 insertions(+), 10 deletions(-)
diff --git a/src/data.c b/src/data.c
index bfad4ff..7524e65 100644
--- a/src/data.c
+++ b/src/data.c
@@ -195,19 +195,23 @@ xpmNextString(xpmData *data)
register char c;
/* get to the end of the current string */
- if (data->Eos)
- while ((c = *data->cptr++) && c != data->Eos);
+ if (data->Eos) {
+ while ((c = *data->cptr++) && c != data->Eos && c != '\0');
+
+ if (c == '\0')
+ return XpmFileInvalid;
+ }
/*
* then get to the beginning of the next string looking for possible
* comment
*/
if (data->Bos) {
- while ((c = *data->cptr++) && c != data->Bos)
+ while ((c = *data->cptr++) && c != data->Bos && c != '\0')
if (data->Bcmt && c == data->Bcmt[0])
ParseComment(data);
} else if (data->Bcmt) { /* XPM2 natural */
- while ((c = *data->cptr++) == data->Bcmt[0])
+ while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
ParseComment(data);
data->cptr--;
}
@@ -216,9 +220,13 @@ xpmNextString(xpmData *data)
FILE *file = data->stream.file;
/* get to the end of the current string */
- if (data->Eos)
+ if (data->Eos) {
while ((c = Getc(data, file)) != data->Eos && c != EOF);
+ if (c == EOF)
+ return XpmFileInvalid;
+ }
+
/*
* then get to the beginning of the next string looking for possible
* comment
@@ -234,7 +242,7 @@ xpmNextString(xpmData *data)
Ungetc(data, c, file);
}
}
- return 0;
+ return XpmSuccess;
}
diff --git a/src/parse.c b/src/parse.c
index 037fc66..64f51ba 100644
--- a/src/parse.c
+++ b/src/parse.c
@@ -427,6 +427,13 @@ ParsePixels(
{
unsigned int *iptr, *iptr2 = NULL; /* found by Egbert Eich */
unsigned int a, x, y;
+ int ErrorStatus;
+
+ if ((width == 0) && (height != 0))
+ return (XpmFileInvalid);
+
+ if ((height == 0) && (width != 0))
+ return (XpmFileInvalid);
if ((height > 0 && width >= UINT_MAX / height) ||
width * height >= UINT_MAX / sizeof(unsigned int))
@@ -464,7 +471,11 @@ ParsePixels(
colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
for (y = 0; y < height; y++) {
- xpmNextString(data);
+ ErrorStatus = xpmNextString(data);
+ if (ErrorStatus != XpmSuccess) {
+ XpmFree(iptr2);
+ return (ErrorStatus);
+ }
for (x = 0; x < width; x++, iptr++) {
int c = xpmGetC(data);
@@ -511,7 +522,11 @@ do \
}
for (y = 0; y < height; y++) {
- xpmNextString(data);
+ ErrorStatus = xpmNextString(data);
+ if (ErrorStatus != XpmSuccess) {
+ XpmFree(iptr2);
+ return (ErrorStatus);
+ }
for (x = 0; x < width; x++, iptr++) {
int cc1 = xpmGetC(data);
if (cc1 > 0 && cc1 < 256) {
@@ -551,7 +566,11 @@ do \
xpmHashAtom *slot;
for (y = 0; y < height; y++) {
- xpmNextString(data);
+ ErrorStatus = xpmNextString(data);
+ if (ErrorStatus != XpmSuccess) {
+ XpmFree(iptr2);
+ return (ErrorStatus);
+ }
for (x = 0; x < width; x++, iptr++) {
for (a = 0, s = buf; a < cpp; a++, s++) {
int c = xpmGetC(data);
@@ -571,7 +590,11 @@ do \
}
} else {
for (y = 0; y < height; y++) {
- xpmNextString(data);
+ ErrorStatus = xpmNextString(data);
+ if (ErrorStatus != XpmSuccess) {
+ XpmFree(iptr2);
+ return (ErrorStatus);
+ }
for (x = 0; x < width; x++, iptr++) {
for (a = 0, s = buf; a < cpp; a++, s++) {
int c = xpmGetC(data);
--
2.15.2

141
U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
View File

@ -1,141 +0,0 @@
From 082a080672c3b8a964aa8100bee41930e12b03fa Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 6 Jan 2023 12:50:48 -0800
Subject: [PATCH libXpm 5/5] Fix CVE-2022-4883: compression commands depend on
$PATH
By default, on all platforms except MinGW, libXpm will detect if a
filename ends in .Z or .gz, and will when reading such a file fork off
an uncompress or gunzip command to read from via a pipe, and when
writing such a file will fork off a compress or gzip command to write
to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those
privileges.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
README.md | 12 ++++++++++++
configure.ac | 14 ++++++++++++++
src/RdFToI.c | 17 ++++++++++++++---
src/WrFFrI.c | 4 ++--
4 files changed, 42 insertions(+), 5 deletions(-)
Index: libXpm-3.5.14/README.md
===================================================================
--- libXpm-3.5.14.orig/README.md
+++ libXpm-3.5.14/README.md
@@ -31,3 +31,15 @@ if it can't find the file it was asked t
--enable-open-zfile feature to open the file, and is enabled by default
when --enable-open-zfile is enabled, and can be disabled by passing the
--disable-stat-zfile flag to the configure script.
+
+All of these commands will be executed with whatever userid & privileges the
+function is called with, relying on the caller to ensure the correct euid,
+egid, etc. are set before calling.
+
+To reduce risk, the paths to these commands are now set at configure time to
+the first version found in the PATH used to run configure, and do not depend
+on the PATH environment variable set at runtime.
+
+To specify paths to be used for these commands instead of searching $PATH, pass
+the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
+variables to the configure command.
Index: libXpm-3.5.14/configure.ac
===================================================================
--- libXpm-3.5.14.orig/configure.ac
+++ libXpm-3.5.14/configure.ac
@@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
fi
AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+dnl Helper macro to find absolute path to program and add a #define for it
+AC_DEFUN([XPM_PATH_PROG],[
+AC_PATH_PROG([$1], [$2], [])
+AS_IF([test "x$$1" = "x"],
+ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-open-zfile])])
+AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
+]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
+
# Optional feature: When a filename ending in .Z or .gz is requested,
# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
# handle it.
@@ -64,6 +72,11 @@ AC_ARG_ENABLE(open-zfile,
AC_MSG_RESULT([$OPEN_ZFILE])
if test x$OPEN_ZFILE = xno ; then
AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
+else
+ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
+ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
+ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
+ AC_CHECK_FUNCS([closefrom close_range], [break])
fi
# Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
Index: libXpm-3.5.14/src/RdFToI.c
===================================================================
--- libXpm-3.5.14.orig/src/RdFToI.c
+++ libXpm-3.5.14/src/RdFToI.c
@@ -43,6 +43,7 @@
#include <errno.h>
#include <sys/types.h>
#include <sys/wait.h>
+#include <unistd.h>
#else
#ifdef FOR_MSW
#include <fcntl.h>
@@ -161,7 +162,17 @@ xpmPipeThrough(
goto err;
if ( 0 == pid )
{
- execlp(cmd, cmd, arg1, (char *)NULL);
+#ifdef HAVE_CLOSEFROM
+ closefrom(3);
+#elif defined(HAVE_CLOSE_RANGE)
+# ifdef CLOSE_RANGE_UNSHARE
+# define close_range_flags CLOSE_RANGE_UNSHARE
+# else
+# define close_range_flags 0
+#endif
+ close_range(3, ~0U, close_range_flags);
+#endif
+ execl(cmd, cmd, arg1, (char *)NULL);
perror(cmd);
goto err;
}
@@ -235,12 +246,12 @@ OpenReadFile(
if ( ext && !strcmp(ext, ".Z") )
{
mdata->type = XPMPIPE;
- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
}
else if ( ext && !strcmp(ext, ".gz") )
{
mdata->type = XPMPIPE;
- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
}
else
#endif /* z-files */
Index: libXpm-3.5.14/src/WrFFrI.c
===================================================================
--- libXpm-3.5.14.orig/src/WrFFrI.c
+++ libXpm-3.5.14/src/WrFFrI.c
@@ -342,10 +342,10 @@ OpenWriteFile(
#ifndef NO_ZPIPE
len = strlen(filename);
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
- mdata->type = XPMPIPE;
+ /* No compress program available (any longer?) on Linux */
+ mdata->stream.file = NULL;
} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
mdata->type = XPMPIPE;
} else
#endif

24
U_regression-bug1207029_1207030_1207031.patch
View File

@ -1,24 +0,0 @@
@@ -, +, @@
---
src/create.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/src/create.c
+++ a/src/create.c
@@ -994,11 +994,15 @@ CreateXImage(
#if !defined(FOR_MSW) && !defined(AMIGA)
if (height != 0 && (*image_return)->bytes_per_line >= INT_MAX / height) {
XDestroyImage(*image_return);
+ *image_return = NULL;
return XpmNoMemory;
}
/* now that bytes_per_line must have been set properly alloc data */
- if((*image_return)->bytes_per_line == 0 || height == 0)
+ if((*image_return)->bytes_per_line == 0 || height == 0) {
+ XDestroyImage(*image_return);
+ *image_return = NULL;
return XpmNoMemory;
+ }
(*image_return)->data =
(char *) XpmMalloc((*image_return)->bytes_per_line * height);
--

66
U_regression2-bug1207029_1207030_1207031.patch
View File

@ -1,66 +0,0 @@
From 8178eb0834d82242e1edbc7d4fb0d1b397569c68 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 16 Jan 2023 19:44:52 +1000
Subject: [PATCH libXpm 7/7] Use gzip -d instead of gunzip
GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
/usr/bin/gunzip with the correct built-in path, the actual gzip call
will use whichever gzip it finds first, making our patch pointless.
Fix this by explicitly calling gzip -d instead.
https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
[Part of the fix for CVE-2022-4883]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
README.md | 2 +-
configure.ac | 3 +--
src/RdFToI.c | 2 +-
3 files changed, 3 insertions(+), 4 deletions(-)
Index: libXpm-3.5.14/README.md
===================================================================
--- libXpm-3.5.14.orig/README.md
+++ libXpm-3.5.14/README.md
@@ -41,5 +41,5 @@ the first version found in the PATH used
on the PATH environment variable set at runtime.
To specify paths to be used for these commands instead of searching $PATH, pass
-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
+the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP
variables to the configure command.
Index: libXpm-3.5.14/configure.ac
===================================================================
--- libXpm-3.5.14.orig/configure.ac
+++ libXpm-3.5.14/configure.ac
@@ -58,7 +58,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path
]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
# Optional feature: When a filename ending in .Z or .gz is requested,
-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
+# open a pipe to a newly forked compress/uncompress/gzip command to
# handle it.
AC_MSG_CHECKING([whether to handle compressed pixmaps])
case $host_os in
@@ -75,7 +75,6 @@ if test x$OPEN_ZFILE = xno ; then
else
XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
AC_CHECK_FUNCS([closefrom close_range], [break])
fi
Index: libXpm-3.5.14/src/RdFToI.c
===================================================================
--- libXpm-3.5.14.orig/src/RdFToI.c
+++ libXpm-3.5.14/src/RdFToI.c
@@ -251,7 +251,7 @@ OpenReadFile(
else if ( ext && !strcmp(ext, ".gz") )
{
mdata->type = XPMPIPE;
- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
+ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r");
}
else
#endif /* z-files */

3
libXpm-3.5.14.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f7eb8f69c039281def8258ae6859adb5f050fbe161ab3d6a2d6ef109a603eac2
size 392624

3
libXpm-3.5.15.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:60bb906c5c317a6db863e39b69c4a83fdbd2ae2154fcf47640f8fefc9fdfd1c1
size 459140

BIN
libXpm-3.5.15.tar.xz.sig Normal file
View File

Binary file not shown.

38
libXpm.changes
View File

@ -1,3 +1,41 @@
-------------------------------------------------------------------
Mon Apr 3 20:27:28 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>
- n_no-compress-on-sle.patch
* we can't handle .Z files, since we don't have ncompress package
on SLE; so disable this feature as before (bsc#1207031)
- BuildRequires
* removed again ncompress
* added again autoconf, automake, libtool
- run again autoreconf due to patch above
-------------------------------------------------------------------
Mon Apr 3 19:01:52 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 3.5.15:
* Use gzip -d instead of gunzip
* Prevent a double free in the error code path
* Fix CVE-2022-4883: compression commands depend on $PATH
* Fix CVE-2022-44617: Runaway loop with width of 0 and enormous height
* test: add test cases for CVE-2022-44617 (zero-width w/enormous height)
* Fix CVE-2022-46285: Infinite loop on unclosed comments
* test: add test case for CVE-2022-46285 (unclosed comments)
* cxpm: getc/ungetc wrappers should not adjust position when c == EOF
* test: Add unit tests using glib framework
* configure: add --disable-open-zfile instead of requiring -DNO_ZPIPE
* man pages: Apply standard man page style/formatting
* man pages: Replace "See Also" entries with more useful ones
* man pages: Fix typos and other minor editing
- drop U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch,
U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch,
U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch,
U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch,
U_regression-bug1207029_1207030_1207031.patch
U_regression2-bug1207029_1207030_1207031.patch: upstream
- switch urls to https
- spec file cleanups
- add gpg keyring validation
-------------------------------------------------------------------
Wed Jan 11 13:49:26 UTC 2023 - Stefan Dirsch <sndirsch@suse.com>

107
libXpm.keyring Normal file
View File

@ -0,0 +1,107 @@
pub 1024D/1F2D130E 2007-07-16 [expires: 2018-04-25]
uid [ unknown] Alan Coopersmith <alan.coopersmith@oracle.com>
uid [ unknown] Alan Coopersmith <alanc@freedesktop.org>
uid [ unknown] Alan Coopersmith <alan.coopersmith@sun.com>
sub 2048g/6E6132BD 2007-07-16
sub 4096R/28C642A7 2013-04-26 [expires: 2018-04-25]
pub 3072R/CAAA50B2 2017-10-04
uid [ unknown] Adam Jackson <ajax@nwnk.net>
sub 3072R/AEF6BB88 2017-10-04
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQGiBEab+moRBACDH5yKqS3wcc5bdxY7PBNuwKvF5TKMfagmSvuRDtZjjIIWaA/n
Z1KboV9Gq5g7kP7+Kfu+Qgd8u65eVsWwmPW10fXvj3aCU53glx2EdGdrHcgiyH2g
EQfPiyBw+trIppWFRV0IDXSLMA1FNC92t2nSG/VFHaPTVwcgkIRSfcXDvwCglGdE
a6f4uLqoNHP+m4yYnzapFuMD/R4+2AJDAvEWKDdYCGZzlawjAmmWyXrmT7/C/mx9
8qUR473l4buXjHgDkkXXlHqdzil1vK85PhrKzNJDCCmlHUJNz+QwiAMOLwpD+kwV
Pb57RG7y+a5JQ5+jtVw4RlUxZIk/wj2An9YBO3A5vR7PdjM32ZJCN2+aM4dYfNzQ
xQKTA/47icvBaBVTl9rztjg2pd2Aqpc1P/GsIYLGj7XjnnJvGAENBHSH1QjpZMJG
CTS9oJ+B0/wrIr+pA+MdFgYAb6ojMQJOO6UChjWWSGjMFcs/CeXhxlLBido3DtAE
TbNTwO6OEfAvdosvTdhJFnwvZlJ+zZGGy5CrF2Fd9PUe9tmASbQoQWxhbiBDb29w
ZXJzbWl0aCA8YWxhbmNAZnJlZWRlc2t0b3Aub3JnPohoBBMRAgAoAhsDBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAUCUXnRYgUJFEPYeAAKCRCi+54IHy0TDonxAKCP
cAgXNojuujUg5Wqi6v0RBFVSUgCggq1SsVEdq9NDWvXvkeGyNaBivSK0K0FsYW4g
Q29vcGVyc21pdGggPGFsYW4uY29vcGVyc21pdGhAc3VuLmNvbT6IZgQTEQIAJgIb
AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJRedFiBQkUQ9h4AAoJEKL7nggfLRMO
6sUAn0jl3h9rY4OJ13Lu7nsKclyhDpOqAKCFgTmaDGRuDRxloLg9jftrn7a7vrQu
QWxhbiBDb29wZXJzbWl0aCA8YWxhbi5jb29wZXJzbWl0aEBvcmFjbGUuY29tPohr
BBMRAgArAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUXnRYgUJFEPY
eAAKCRCi+54IHy0TDtBZAJ9IgVVNoFIPRjTsNjcSFaLznuDRJgCcC/WgV312IrxS
Q8PRAyEgozSB9Ke5Ag0ERpv6bxAIAJp5aUlho5rUhpS6ik7spsAQFPRuycPKMNu0
J4F0v/OoPz085soV8ytLj4HqCGk2Zamh1jSgliZwuk9m7V7Wgxx+nBJawpWDX/eK
LObErfDwQ4dfOFvjbXLQMmNnQNaUGIWLPP3l8GuBOHMq60Bu+TPgh627vUntL5RE
QEQqTXIzWC6U10QsDblLwIvdOVSdGF5xl/N1myXzSKvrsZwWtoFc8G9v9hcCjhtN
1sm9b7Ojc51iZXvcetcvPy5RA6AUW3yEExaedUdLnvIF9sjFYIfJWFVYh2AgavnG
re6fF+NV2v3zfx3wRT7H9//m4YIDYJmgZgyQccXegTwfGBIq3osAAwYH/1FiMUMM
ES5Ilz2nDqId+DCWECAU6wgvIFRcXrZWxDxB+ZrnmTCXoAD0xedpfOkRHp8XTVc/
9MU+wQ+lZRx2OQ6MJW0XGuFvHm94KZF/8HzWA2Ah7U4n0+3sLpk6zWceZq2zZNF0
yVTjwD98+xNK1Q9sP8aOKdtg8yMH3hisKR6rdW+mfX5q0Q8Gol2hZsFH/qyIhnPz
hXDknuOh8E5iMkzrejVXUEn++Yzj23XjP59SObLznVkyxI+kBI9qvVEPfFBDybjH
WqLcgRcCpXAzjizEi+/d31iDa2ErJHV4R42obecFqiPnoDtiX3IiP7z9fmxM4aWP
ZZRqvq+1ht5wkn+ISQQYEQIACQUCRpv6bwIbDAAKCRCi+54IHy0TDoLoAKCHYRpw
/XfyEunw1YL/uMZzl78qIQCdFVcXNbqD83qVhW4Ly7hyDL8o0aK5Ag0EUXnVIQEQ
AKHpjOmY056n0tsZoW9q5egsMcl5tKC8uimrhO05nnq+5/60/YedC++V9c9b/3/X
7O28LyBkAtBgD0xJZSDQ0DhTzKAp6AzjQtBvI68uinGwxSjT+oQpPMxqhA1I0kzo
EDCdEqV+HsVOAEdbAi/tP9bbdTDzwVc8MWDriamBUqc53Rb00Mffy9435UgTS4gA
hMwANhy6XZmOMBhITOzxFJUEDTDJtLbE0b1jPRQS7NHQgak1inmuvPMc3wAuoEcS
CSt1xupbYsBoXOjK5wC/eE1LIdZoRyW2OkT140DqDZ8zfRID860hnirnYgb09TPN
tj93pudUAUt6T9+tcLN4/rxhxHOwse66KGHO4bQ1rZ6mfco6SYd9V60cL6hC2eMe
cyxZliMu17lj7EX8lxUH+omIgHc7HGoyUR6V+WB60cxWj5v05zdeLeZ2aLBcPFhx
lfDESm8f4ezdJSDS1QZmC0P5h3RJfhhfmdBr8kHzr7111D1/O71Av1VV5FyJ9YxU
Sxp4IPuzK7JbbgVHcA6PvXrDzWUslmZgPADpKH4hTmG/NdCqhEXcufvY6s5yNksB
8X3ReNvuSSyfGnRz3kvtyK0XzC7KRX2PquLI6A8KJprHwZGqEB1NDG8b2iaYnghO
jyfIYEVQF3nGfaBwv4lrCPEoZSUaK8f/NQZjNU8NQyTnABEBAAGJAm0EGBEKAA8F
AlF51SECGwIFCQlmAYACKQkQovueCB8tEw7BXSAEGQEKAAYFAlF51SEACgkQz98U
iCjGQqfW5g//dOdJHt23cdMyz5VADaE7u+L0E+eX9GtHF4J649eXsui59EtbHh2n
XdGhd5SqQ8FDi9GCEKaQ4S31n/YBLEBCkj7R0IMikW2o78/JxDovB8+aL606hgma
fNVx1aIshIglrl8Xlu3sjeAvG48W6YjdL2mfrIDHjIVwOZsMihbOJvST6Q3upHdn
mjDtM5HCQmI5NEXDWYj6IZuhJnnrDWwNsyYV4KPoUBxAcqIyCeZbVssuWWnHPXX8
VavVq98vpVynfGzGYpJbDj19C/utMjKGI5dcvbVaucA7X/oktxrxS6SBDhuIaAE9
4ZHlbxqfyHfETI/La2Z/ALDAtYdhJR2gSkTHyKSW1QqYlulSfB//lnna44mmTuRO
NbDNgb0FGSvtsBMZ80iHDqPgUfS60kxCfFrsSGfTFU+X4QAzpTtUJEcr+J4HULDe
MfwOgghVfmKxFXWfud8xDaCXuywLTtVgMCZp4P7MAyuJlaxsFTu+c1Vly94grk4U
MtALLMqCXSosA490gLTSdg3HSwxt2Q/LJdy427ZIMvjGXIruns8U/OmL9dVgWu3b
JHsL68Skx8Ts63qTN9QXM/PB+8VwOaC7PJ+g6t40DleOmdsS8cN31yf5KB8rsL4u
n4u1yrMJfpnSblPMu5wJi3kjoA+Dd5ZFqx9nTi4wBjfVYGCPsleq59K8kQCYx1Cn
lZcq630ITy9dB/aHCQry2gCbBwZ2Rsf9kr05S8uLhlwW3vRSvRuZAY0EWdVUUwEM
ALPn5XSzb8mMO6+60FsjiEA7dmBvyaWfLmcz9iCQIJV7v0yw4B7kqfgaP6VzwuLA
nh/Jg8BbHUUiWKvJgThGCmcqGKlCFkH9Ry8iZMdADi2ohq9F7Kgfijn4Js+BFjtc
0TbBFY6iBZ3da5J66r/fua7WA5GarcqiDO5quMm998s0vixoD7AnfsFdaFDc/55G
LIXSodqjN/5sx6eq1YTLSfQhASDnBRL/MZdWU5fd82El6ySr3dpRLRu7drFkvizE
4wrGeFErRcPOIVqIy78NOPhjRJYNeArSjCRxzs7DZ4BfnZn7O/Cb07ecFpC9BXtx
TE3BgGZzZaRW2z1cGsZPu1nceYUCTMHpjI991dhPhOnIUuh8tWwkO+lryJeQ6bLb
YlS6omVbfoh2ma//aM2QR+IhtvLfDBm040k4P3E3EKY6JUYDn36r4uCzRoJbOiY3
HTvMw4R5W8s6P1+JxmFOp++FmuQ8PiIQ4ooilFGMLIPIxrQdNvtcCQNiT81xl7iR
CwARAQABtBxBZGFtIEphY2tzb24gPGFqYXhAbnduay5uZXQ+iQHOBBMBCAA4FiEE
mV7VyKYTjrCWHxhHTAndg8qqULIFAlnVVFMCGwMFCwkIBwIGFQgJCgsCBBYCAwEC
HgECF4AACgkQTAndg8qqULLoDgv9G7x0cV2w0q8q0Ef2zM2B3l2pyMRVbPDphkpF
NWmrDfQ725Nx+4fONXkBMhVM8R1cuSVB+JzIJviYZAvDEvarmRNgysa15PAG3ilg
TGj8NggRmibd/37vn46A3U+V5dD2lNij413DXwaycP+xbTgdfYggYpjepRfeqGXE
brN1ewdNMigIIFetZ6loP8h0D03Dfu2LJpOrY0f8KFzEU3tK5itJakGQ9GFyzEoO
O7uP6zgrM71/VBgUHZWLdNttgsQncEmDoDFWiJV7gH3F+Xop8JoRSMVYypSmtaI6
PE0B1FSd8E3dQXY78HEC2BkyTdHBUYbt8ASR8AKTCzwbmVytpO6QdAkF/N2VtvCt
AbjTbSRFF02KFuU8dkBYjk8kbmOl0Zyp+3IP6VG+/iCWMekCD8h4wriseMYA1fe5
C9wJ6U3Ap/xM9UgNMHm9i9aace1GYRCQh4eGsxHOOFl6P67M0MUWko9lrIafa7I8
u/vtpkJCYSzU7URp9bPX4h8FYNSYuQGNBFnVVFMBDADkTlb8UMrB+b6jCQ96cbRV
ihdF8uWsEO8dx7Au3Th693KAdlnE11X1hymy970g10SDidMkePiZ/fTZ9pQYQK2I
wp6TvyZ/KbNsBdLSQRdzY2hpe0SAWU+Fq8zh7w+knloAoSxIedDUcxLYonhs9sM1
IulaRPgcEMDOwkc4U0O7RnpOzIb9sDVUuiPSIwL2MvzFbPWU4E2ICG6QySMc6+Z6
rgEDaS0fkJSHyrCfyITLDiymzlFwUpqch6u7eyDxJV53jDSgIh1PDniZI0Te/MaI
r20OTTKENGragVPsRHivQKvdy3ICwM8kLCGBUnZhYAZ0d7B1+DqXWF+y+Y7WiaNH
VJAFIRvDoW2XobJJ33Wuy9P2Ln7cuI0iliBhvYvrA2ftxJdz00VFcNa3DTs/WZEm
JGsEfBfUGuujuH228VPvnUXnJZIN1qHl1RqpuXQLdyZcygz4Uu8TR0QJ+4z+bA6+
2+VjMvWG11NItlFvbl111nqdOUfewuRWl32hlFJ3uR0AEQEAAYkBtgQYAQgAIBYh
BJle1cimE46wlh8YR0wJ3YPKqlCyBQJZ1VRTAhsMAAoJEEwJ3YPKqlCyN34L+wdk
UXPfNIsGjWxQgcIaXo/YNgdq0ShBM/tHyDWQAd3XjmkAau9fNHgXpPlKAzy3hrTg
hrZIktqm01el/WklcqUSkRoJv+gOEH94K3yw6KVypKiOQSal7vPXFlj9481LNuxc
NZM5qBMzvRR1rGANqd3V3Eyzarz5DfLfFmW1dxgOYzjxr+ZHB7uu08rry/cDnhlt
xeiM1wgxLUkGT5dy4FuZ4jTJ8aRyps7aGI/xbzWfWZv3qN9n/CNCE3MuojfPFGcU
c+IEwvL20XSh00JFxxDaZsp1XZx84gXlYoLiWtzKrPd6K3ZFh1Jbc89SpLfHbr3o
jjTMjYqgWNGfthxYnpP6yRk9ZblscJVxQ3nu/vbvQgbYwIDoPppG2jubrJRss2AZ
p0PIiNNCVp1M3Vopgr9ACzFLjL4SGQA95pBG9nEGFkShyMgATQEParNyj52rsi5A
ciFdOcZEYSxLRtB0SelAChNAxVGjuWhHb9erMIiOQbjQkfsKv+uA9JF0stg4ug==
=aTYk
-----END PGP PUBLIC KEY BLOCK-----

85
libXpm.spec
View File

@ -16,32 +16,27 @@
#
Name: libXpm
%define lname libXpm4
Version: 3.5.14
Name: libXpm
Version: 3.5.15
Release: 0
Summary: X Pixmap image file format library
License: MIT
Group: Development/Libraries/C and C++
URL: http://xorg.freedesktop.org/
URL: https://xorg.freedesktop.org/
#Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXpm
#Git-Web: http://cgit.freedesktop.org/xorg/lib/libXpm/
Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.xz
Source1: baselibs.conf
Patch1207001: U_0001-configure-add-disable-open-zfile-instead-of-requirin.patch
Patch1207029: U_0002-Fix-CVE-2022-46285-Infinite-loop-on-unclosed-comment.patch
Patch1207030: U_0004-Fix-CVE-2022-44617-Runaway-loop-with-width-of-0-and-.patch
Patch1207031: U_0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
Patch1207129: U_regression-bug1207029_1207030_1207031.patch
Patch1207130: U_regression2-bug1207029_1207030_1207031.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#git#BuildRequires: autoconf >= 2.60, automake, libtool
BuildRequires: pkgconfig
Source: https://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.xz
Source1: https://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.xz.sig
Source2: libXpm.keyring
Source9: baselibs.conf
Patch0: n_no-compress-on-sle.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gzip
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: pkgconfig(x11)
BuildRequires: pkgconfig(xext)
BuildRequires: pkgconfig(xextproto)
@ -53,35 +48,37 @@ BuildRequires: pkgconfig(xt)
libXpm facilitates working with XPM (X PixMap), a format for
storing/retrieving X pixmaps to/from files.
%package -n %lname
%package -n %{lname}
Summary: X Pixmap image file format library
Group: System/Libraries
# Invokes 'uncompress' and 'gzip' at runtim
Requires: gzip
%description -n %lname
%description -n %{lname}
libXpm facilitates working with XPM (X PixMap), a format for
storing/retrieving X pixmaps to/from files.
%package devel
Summary: Development files for the X Pixmap image file format library
Group: Development/Libraries/C and C++
Requires: %lname = %version
Requires: %{lname} = %{version}
# O/P added for 12.2
Provides: xorg-x11-libXpm-devel = 7.6_%version-%release
Obsoletes: xorg-x11-libXpm-devel < 7.6_%version-%release
Provides: xorg-x11-libXpm-devel = 7.6_%{version}-%{release}
Obsoletes: xorg-x11-libXpm-devel < 7.6_%{version}-%{release}
%description devel
libXpm facilitates working with XPM (X PixMap), a format for
storing/retrieving X pixmaps to/from files.
This package contains the development headers for the library found
in %lname.
in %{lname}.
%package tools
Summary: Conversion utilities for X Pixmap (XPM) files
# O/P added for 12.2
Group: Productivity/Graphics/Convertors
Provides: xorg-x11-libXpm = 7.6_%version-%release
Obsoletes: xorg-x11-libXpm < 7.6_%version-%release
Provides: xorg-x11-libXpm = 7.6_%{version}-%{release}
Obsoletes: xorg-x11-libXpm < 7.6_%{version}-%{release}
%description tools
The spxm tool converts XPM1/XPM2 files to XPM version 3.
@ -89,43 +86,33 @@ The cxpm tool will check whether an XPM file is correct or not with
regard to its format.
%prep
%setup -q
%patch1207001 -p1
%patch1207029 -p1
%patch1207030 -p1
%patch1207031 -p1
%patch1207129 -p1
%patch1207130 -p1
%autosetup -p1
%build
autoreconf -fi
%configure --disable-static
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR="%buildroot"
rm -f "%buildroot/%_libdir"/*.la
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
%post -n %lname -p /sbin/ldconfig
%post -n %{lname} -p /sbin/ldconfig
%postun -n %{lname} -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%files -n %lname
%defattr(-,root,root)
%_libdir/libXpm.so.4*
%files -n %{lname}
%{_libdir}/libXpm.so.4*
%files devel
%defattr(-,root,root)
%_includedir/X11/*
%_libdir/libXpm.so
%_libdir/pkgconfig/xpm.pc
%_mandir/man3/*.3*
%{_includedir}/X11/*
%{_libdir}/libXpm.so
%{_libdir}/pkgconfig/xpm.pc
%{_mandir}/man3/*.3%{?ext_man}
%files tools
%defattr(-,root,root)
%_bindir/cxpm
%_bindir/sxpm
%_mandir/man1/cxpm.1*
%_mandir/man1/sxpm.1*
%{_bindir}/cxpm
%{_bindir}/sxpm
%{_mandir}/man1/cxpm.1%{?ext_man}
%{_mandir}/man1/sxpm.1%{?ext_man}
%changelog

24
n_no-compress-on-sle.patch Normal file
View File

@ -0,0 +1,24 @@
diff -u -r libXpm-3.5.15.orig/configure.ac libXpm-3.5.15/configure.ac
--- libXpm-3.5.15.orig/configure.ac 2023-04-03 22:10:42.223223000 +0200
+++ libXpm-3.5.15/configure.ac 2023-04-03 22:11:35.264112000 +0200
@@ -74,7 +74,6 @@
if test x$OPEN_ZFILE = xno ; then
AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
else
- XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
AC_CHECK_FUNCS([closefrom close_range], [break])
diff -u -r libXpm-3.5.15.orig/src/WrFFrI.c libXpm-3.5.15/src/WrFFrI.c
--- libXpm-3.5.15.orig/src/WrFFrI.c 2023-04-03 22:10:41.615310000 +0200
+++ libXpm-3.5.15/src/WrFFrI.c 2023-04-03 22:17:45.861160000 +0200
@@ -342,8 +342,7 @@
#ifndef NO_ZPIPE
len = strlen(filename);
if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w");
- mdata->type = XPMPIPE;
+ mdata->stream.file = NULL;
} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
mdata->type = XPMPIPE;