Bug 151640

Summary: CAN-2005-0605 libxpm issue
Product: [Retired] Fedora Legacy Reporter: Mark J. Cox <mjc>
Component: lesstifAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: fc3CC: deisenst, donjr, mattdm, michal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate, LEGACY, 3, needsbuild
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-10 19:15:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 430520    
Attachments:
Description Flags
Proposed updates-testing announcement none

Description Mark J. Cox 2005-03-21 11:43:10 UTC 
CAN-2005-0605 Probably Affects: FC2 
        CAN-2005-0605 Probably Affects: FC3 

+++ This bug was initially created as a clone of Bug #151639 +++

A potential buffer overflow from the use of unsigned integers has been found in
the XPM processing library of xorg.

https://bugs.freedesktop.org/show_bug.cgi?id=1920

Probably affects RHEL2.1 (not verified)
Comment 1 Fedora Update System 2005-08-26 17:49:25 UTC 
From User-Agent: XML-RPC

ntp-4.2.0.a.20040617-5.FC3 has been pushed for FC3, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 2 Fedora Update System 2005-08-26 17:50:04 UTC 
From User-Agent: XML-RPC

subversion-1.2.3-2.1 has been pushed for FC4, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 3 Fedora Update System 2005-08-26 17:51:56 UTC 
From User-Agent: XML-RPC

lesstif-0.93-36-6.FC3.2 has been pushed for FC3, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 4 Michal Jaegermann 2006-01-11 19:54:07 UTC 
lesstif-0.93-36-6.FC3.2 source rpm indeed includes patch4 and patch5 which
should close issues, and %changelog indeed claims so, but in %setup section
of lesstif.spec these two patches are _not_ applied.
Comment 5 David Eisenstein 2006-02-04 09:34:03 UTC 
Michal, you work with Fedora Legacy, don't you?  Since you've been in the 
source rpm, have you fixed that issue for your own system(s)?  Would you like
to submit a fixed .src.rpm for review so fixed packages can be released?
Comment 6 Michal Jaegermann 2006-02-04 18:26:05 UTC 
As it happens I do not any FC3 installation with lesstif installed and I do
not have any packages which would directly fit elsewhere as well.  I looked
at source rpm for other reasons.

With FC3 that fix is trivial.  One needs to add in specs two missing '%patch
...'  lines to apply existing patches and recompile.  Other distributions are likely
affected as well.  These can be fixed by recompiling there the same sources
although this will likely cause inconsequential version changes.
Comment 7 Donald Maner 2006-05-12 19:13:57 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have created the following SRPM for lesstif:

fc3:
162f165889b931a6e8f0d66a02fab82d4b0ec308
http://lance.maner.org/lesstif-0.93.36-6.FC3.3.legacy.src.rpm

* Fri May 12 2006 Donald Maner <donjr> 0.93.36-6.FC3.3-legacy

- add patches 4 and 5 to actually compile fixes for libXpm (#151640)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEZN93pxMPKJzn2lIRAv2tAJ9/JRSPjLqRpS1TMYmqzWM5OxIbtwCcDtWq
7tkrKytMPfBi9NqdtOevHRw=
=3Q9s
-----END PGP SIGNATURE-----
Comment 8 David Eisenstein 2006-05-13 23:52:32 UTC 
Thanks for submitting the .src.rpm, Donald!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source QA for lesstif-0.93.36-6.FC3.3.legacy:

162f165889b931a6e8f0d66a02fab82d4b0ec308__lesstif-0.93.36-6.FC3.3.legacy.src.rpm

- - sha1sums match
QA w/ rpm-build-compare.sh:
- - source integrity is good
- - spec file changes minimal
- - patches come from previous package where they were not applied.

+PUBLISH FC3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEZnEvxou1V/j9XZwRApffAJ94sCLfz8N/S2/0keLilNxhW/Xt6gCg82gd
QRTKSrNKhP55/tIA2S82Zo4=
=L6+a
-----END PGP SIGNATURE-----
Comment 9 David Eisenstein 2006-06-07 00:45:40 UTC 
Created attachment 130648 [details]
Proposed updates-testing announcement

Packages are built on the build-server.  They need to be signed and pushed
to updates-testing.  Enclosed is the proposed announcement, which needs to
have sha1sums added.  Hope this helps.
Comment 10 David Lawrence 2006-07-18 03:21:01 UTC 
QA_READY has been deprecated in favor of ON_QA. Please use ON_QA in the future.
Moving to ON_QA.
Comment 11 Matthew Miller 2007-04-10 19:15:40 UTC 
Fedora Core 3 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.