Bug 152785

Chris Evans has discovered a number of stack overflows and an integer
overflow in the X.org libXpm library.  It is unknown what all uses
this library for xpm processing, so far we have verified that the gimp
does use it.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131121
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131119



------- Additional Comments From michal 2004-09-15 19:16:23 ----

> ... so far we have verified that the gimp does use it

On a particular system where I tried that 'rpm -q --whatrequires libXpm.so.4'
listed forty one packages.



------- Additional Comments From peak.mff.cuni.cz 2004-09-16 06:52:22 ----

According to http://scary.beasts.org/security/CESA-2004-003.txt these two vulns
are CAN-2004-0782 and CAN-2004-0783. Authoritative response from CVE itself is
unavailable because all CANs are reported as reserved without any details.



------- Additional Comments From marcdeslauriers 2004-09-16 13:32:18 ----

I think the author of the advisory is a bit confused, as he used the same CAN
numbers as this one:

http://scary.beasts.org/security/CESA-2004-005.txt

I think 687/688 are for libXpm and 782/783 are for gtk+



------- Additional Comments From dwb7.edu 2004-09-22 06:38:23 ----

Well... looking at the two redhat bug ids, looks like they have a patch or 2
ready to go and are QA'ing it.

Does this actually affect XFree86 (used on 7.3 instead of X.org)?



------- Additional Comments From michal 2004-09-30 07:04:56 ----

> Does this actually affect XFree86 (used on 7.3 instead of X.org)?

Just from the code, and no test cases, it appears that it does.  At least
a patch from comment #3 to

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131121

applies to sources used on RH7.3 (XFree86-4.2.1) and everything recompiles
with it.  I have X patched that way right at this moment on machines with
Matrox, Geoforce and ATI Rage 128.  They still run. :-)



------- Additional Comments From dom 2004-10-02 11:24:09 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Update for rh7.3. Please QA:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/

f11d9d324be67fe6f1e89c13fcc3bdd4416c7ed0  XFree86-4.2.1-16.73.28.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBXxxdYzuFKFF44qURAgpAAJ4g5J163/FvouDy3axP/mMrU+FqFACg/lO2
gl0Ld0ZBeUBb6cgTEN5lghk=
=qkOw
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-10-02 11:40:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Update for rh7.3. Please QA:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/

5be3130ffac4aadae551054b21e12beefd15abd1  XFree86-4.2.1-16.73.28.legacy.src.rpm

(note previous SRPM had missing legacy tag; if you have already downloaded
it please QA that instead; it is otherwise identical to this).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBXyA/YzuFKFF44qURAn8XAJ0VfgRFavodvLrKE96j+aEfipfCnwCg4xzw
UShaDfRd1GbKOfZ6Zr+E5Yc=
=iv0U
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-10-02 11:50:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Update for rh9. Please QA:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/

edd61bfc46fd76be789905c4a0976401a25e7f7f  XFree86-4.3.0-2.90.58.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBXyKIYzuFKFF44qURAgJUAKCUHdzxv319iyD6VI8no0nZoN8OCgCfWNzA
9Sqmhj0m3i8ZDZF5+pnf6pQ=
=bZUI
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-10-02 12:00:47 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Update for FC1. Please QA:

http://www-astro.physics.ox.ac.uk/~dom/legacy/SRPMS/

870a70c345edfe5246cb82ff14c6d6709524a791  XFree86-4.3.0-56.legacy.src.rpm

I've also included the XDM fix from the last rh9 update. I guess it probably
wasn't exploitable for FC1 but here it is for completeness, since we're
rebuilding anyway.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBXyT6YzuFKFF44qURAnSdAJoCWggNtZNgKR/sZeNr2/DCaNwqEQCgj7Ne
k2T4SBbi6ioIgj8wC1iMLSA=
=341k
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-10-03 03:11:58 ----

this bug supercedes bug 1831, 1289



------- Additional Comments From dom 2004-10-05 03:50:33 ----

xdm update from Red Hat:

https://rhn.redhat.com/errata/RHSA-2004-478.html

Can someone crossreference this with the latest packages on this bug so that we
can check if we need to include anything we haven't already?



------- Additional Comments From rob.myers.edu 2004-10-05 11:17:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on Dom's XFree86-4.3.0-56.legacy.src.rpm update for FC1:
(sha1sum 870a70c345edfe5246cb82ff14c6d6709524a791)
 
per comment #11, the latest XFree from RHEL is XFree86-4.3.0-69.EL
includes the same fixes for CAN-2004-0687, CAN-2004-0688, and
CAN-2004-0419.  i do not think anything else is needed.
 
Sources okay
Patches okay
Spec okay
Builds okay
Installs okay
Runs okay
 
+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBYw8ZtU2XAt1OWnsRAhkOAJwIuit9UE4AZN169udCupu0/q8hvQCgwMWy
Edg9HPT0MQKcqs3NCpMj+eM=
=DfuP
-----END PGP SIGNATURE-----




------- Additional Comments From michal 2004-10-07 09:15:00 ----

About question from comment #11.  Sources referenced in RHSA-2004:478-13
have not only patches but also a change in a spec file which enables
"#define HasDevRandom YES" in host-$arch.def.  If this change is present in
XFree86-4.3.0-56.legacy.src.rpm I did not check but that applies to 4.3.0.

For XFree86-4.2.1-16.73.28.legacy.src.rpm the situation is somewhat different.
A test

   if (request_port == 0)
       return;

for 'xdm-opens-random-tcp-socket' issue (CAN-2004-0419) is already present
in 4.2.1 sources, if in a sligthly different location; but xdm indeed is
using /dev/mem as a "random file" unless DEF_RANDOM_FILE does not say
otherwise while compiling resource.c for 'xdm' and it is very far from clear
to me how one would fit that in this whole compilation setup.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=126205#c3 says:
"Fixed in rawhide xorg-x11, XFree86 4.3.0 and 4.1.0 in CVS for future
erratum." but I do not see "HasDevRandom" configuration below 4.3.0 and
I am not sure how Mike Harris fixed that. I would be inclined to leave
that alone - at least for now.

I am also not sure why John P. Dalbec commented out rpm -q test for
Glide3-devel in a spec file and turned off parallel compilation by
changing '-j%(getconf _NPROCESSORS_ONLN)' to '-j1'.  I was recompiling
recently XFree using both and that worked fine and the later makes
difference if you have more than one processor.  In any case parallel
build can be turned off by defining 'ParallelBuild' to 0 if that is
really needed.



------- Additional Comments From michal 2004-10-07 09:46:13 ----

See also https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129797
and
XFree86-4.3.0-ati-radeon-7000m-dell-server.patch
XFree86-4.1.0-ati-radeon-rhel21_u4_radeon_7000m_dell_server.patch
from recent RHEL updates.  If that applies to 4.3.0 and 4.1.0 then
it will fit 4.2.1 as well. :-)



------- Additional Comments From jpdalbec 2004-10-08 06:59:18 ----

I commented out the "rpm -q" test for Glide3-devel because it prevents building
on mach.  In that environment the RPM database is maintained from outside the
chroot and may not even have the same Berkeley database version (db1/3/4 etc.).
 I changed the number of processors to "-j1" because building was broken on SMP
systems.  I later fixed SMP building in
http://www.fedoralegacy.org/contrib/XFree86/XFree86-4.2.1-17.73.27.src.rpm but
that package "fixed" a security issue that wasn't so it didn't get released.



------- Additional Comments From josh.kayse.edu 2004-10-14 12:04:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 package:

870a70c345edfe5246cb82ff14c6d6709524a791  XFree86-4.3.0-56.legacy.src.rpm

- - Sources identical to previous release
- - Patches look okay
- - Spec is okay
- - builds fine
- - installs fine
- - runs okay

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBbvfawnUFCSDmt7ERAkAyAKCD5nBRQLX+0vrJBL4BUB9mfkBR/wCfda/w
2vivA5on262d0VfeXmq2tmU=
=NzL1
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-10-22 07:58:34 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on Dominic's Redhat 9 package:
edd61bfc46fd76be789905c4a0976401a25e7f7f  XFree86-4.3.0-2.90.58.legacy.src.rpm
 
sha1sum ok
source files ok (compared to XFree86-4.3.0-2.90.55)
spec file ok
patches ok (verified against previously verified XFree86-4.3.0-56.legacy)
builds ok
cra's rpm-build-compare script compares favorably
no rh9 box to install or run on
 
+PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBeUoktU2XAt1OWnsRAjnoAKD0SQYTprYXM38/DAnoe70Ez7z9aACgjL1D
wiHaISLKJnIqUJ5yU2qZ5T4=
=AaYn
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-10-22 08:49:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on Dominic's Redhat 7.3 package:
5be3130ffac4aadae551054b21e12beefd15abd1 XFree86-4.2.1-16.73.28.legacy.src.rpm
 
sha1sum ok
source files ok (verified against XFree86-4.2.1-13.73.23)
spec file ok
patches ok
builds ok
no rh73 box to install or run on
 
+PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBeVYFtU2XAt1OWnsRAp2BAJ4pM8YyHe8+8jnUabkBMev9Mk/3JACg6c2u
mRUhXkNRGuSEXITmQC/z83w=
=wZpK
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-22 16:54:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did QA on the rh7.3 package:

5be3130ffac4aadae551054b21e12beefd15abd1  XFree86-4.2.1-16.73.28.legacy.src.rpm

- - source files are identical to previous release
- - New patch file is good
- - Spec file is good
- - Builds, installs and works good.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBecgQLMAs/0C4zNoRAsx9AKCOuoRDWMs6pneO2IIn7AVQF/uCewCgqw/e
rj2JCDkOPPG3TuqLy51xFrg=
=LKjk
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-23 02:07:39 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did QA on the rh9 package:

edd61bfc46fd76be789905c4a0976401a25e7f7f  XFree86-4.3.0-2.90.58.legacy.src.rpm

- - source files are identical to previous release
- - New patch file is good
- - Spec file is good
- - Builds, installs and works good.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBekmwLMAs/0C4zNoRAt5PAJ46pHnASxXYkEaYjDpCjMYeOH/KTgCfWeYI
joL9JCzMVi8feT3JX/++5TQ=
=VkpM
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-11-04 12:54:09 ----

Created an attachment (id=911)
mach build log for XFree86-4.3.0-57.legacy

I can't get this to build for FC1 (.57 is the same as .56 but with parallel
builds disabled; the same error occurs either way). Any bright ideas?



------- Additional Comments From rob.myers.edu 2004-11-05 09:58:10 ----

you just need to add m4 as a BuildRequire



------- Additional Comments From b.pennacchi.it 2004-11-09 08:22:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
downloaded XFree86 sources for RH9 from Dominic's site
checksum of source's SHA1 and MD5: OK
compiling and building sources: long, dreary, boring but OK
checksum of .rmps'SHA1 and MD5: OK
installing resulting .rpms: OK
using the new XFree86: OK... so far (been almost one month)
 
I'm willing to give it both a PUBLISH and a VERIFY for RH9, if
yuo don't mind. Just please note that I didn't install ALL the
.rpms of the whole XFree86 thing.
 
(let's hope no more security bugs creep up after this package :-)
b.
 
P.S.: do you want me to upload somewhere the .rpms?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBkQpekYABghcrexsRAkpJAJ4uesTea4wpVzVu2tkRRo7sx6y2DgCfUxrD
FhAfaSEbOLSjy10s/wAZHX0=
=WiQp
-----END PGP SIGNATURE-----



------- Additional Comments From jpdalbec 2004-11-24 04:50:11 ----

This is a patch against X.org but do any of the fixes apply to XFree86?

04.46.13 CVE: CAN-2004-0687,CAN-2004-0688
Platform: Unix
Title: libXpm Multiple Vulnerabilities
Description: libXpm is a graphics library available for Unix operating
systems. libXpm is vulnerable to multiple issues such as integer
overflow, remote command execution and directory traversal. libXpm
versions 6.8.1 and earlier are known to be vulnerable.
Ref: http://www.x.org/pub/X11R6.8.1/patches/README.xorg-681-CAN-2004-0914.patch 



------- Additional Comments From rob.myers.edu 2004-11-24 07:54:09 ----

yes it applies, with only minor offsets.  but should we open a new bug for
CAN-2004-0914 or work on it here?



------- Additional Comments From jpdalbec 2004-11-29 10:48:18 ----

Good point.  Bug 2314 has been opened.



------- Additional Comments From rob.myers.edu 2004-12-03 05:15:43 ----

i just wanted to call attention to the sample bad xpms that will test
CAN-2004-0687 and CAN-2004-0688 in the previously posted url:

http://scary.beasts.org/security/CESA-2004-003.txt



------- Bug moved to this database by dkl 2005-03-30 18:27 -------

This bug previously known as bug 2075 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2075
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
mach build log for XFree86-4.3.0-57.legacy
https://bugzilla.fedora.us/attachment.cgi?action=view&id=911

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.