Red Hat Bugzilla – Bug 136830
CAN-2004-0914 Various libXpm issues
Last modified: 2007-11-30 17:06:54 EST
Thomas Biege from Suse has audited the libXpm X code.
The patch is based on XFree86-4.3-branch_03-08-13 code
with all known security fixes (including xpm-sec5.diff,
which I sent around some days ago) applied.
It fixes several integer issues that result in endless loops
and buffer overflows. It also fixes a one-byte buffer overflow,
stack-based overflows (sprintf(), string functions), replaces
popen() with s_popen(), path traversal issues, buffer underruns,
memory leaks (missing free(), found by Egbert Eich)...
Some issues seem not to be fixable in an easy way, therefore
I just commented them.
So far we did not make any functional testing based on packages
including this patch. Handle it with *care*.
With the presence of this patch I would like to push back the
next coordinated libXpm release for at least one week
(3rd November, 14:00 UTC).
Created attachment 105661 [details]
Proposed patch for these issues.
Created attachment 105662 [details]
Patch to fix the makefiles to account for the new s_popen library.
From the mail on the xorg_security list today, the patch is still
under discussion, and changes are still being made. Once the final
patches are available, I've asked that Kristian HÃ¸gsberg prepare the
update while Mike is on vacation.
Created attachment 106066 [details]
Updated patch from Matthieu Herrb
From the latest e-mail on the xorg_security list today, it looks like the new
date for the embargo is 17 Nov 2004 1400UTC.
We are currently reviewing and testing the latest patch.
Fixed in XFree86-4.1.0-63.EL.
Errata are passed on to QA, setting to MODIFIED.
Was actually released as RHSA-2004:610 on Dec 20 2004.