Bug 151640 - CAN-2005-0605 libxpm issue
CAN-2005-0605 libxpm issue
Status: CLOSED CANTFIX
Product: Fedora Legacy
Classification: Retired
Component: lesstif (Show other bugs)
fc3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
impact=moderate, LEGACY, 3, needsbuild
: Security
Depends On:
Blocks: CVE-2005-0605
  Show dependency treegraph
 
Reported: 2005-03-21 06:43 EST by Mark J. Cox (Product Security)
Modified: 2008-01-28 11:17 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-10 15:15:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed updates-testing announcement (3.90 KB, text/plain)
2006-06-06 20:45 EDT, David Eisenstein
no flags Details

  None (edit)
Description Mark J. Cox (Product Security) 2005-03-21 06:43:10 EST
CAN-2005-0605 Probably Affects: FC2 
        CAN-2005-0605 Probably Affects: FC3 

+++ This bug was initially created as a clone of Bug #151639 +++

A potential buffer overflow from the use of unsigned integers has been found in
the XPM processing library of xorg.

https://bugs.freedesktop.org/show_bug.cgi?id=1920

Probably affects RHEL2.1 (not verified)
Comment 1 Fedora Update System 2005-08-26 13:49:25 EDT
From User-Agent: XML-RPC

ntp-4.2.0.a.20040617-5.FC3 has been pushed for FC3, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 2 Fedora Update System 2005-08-26 13:50:04 EDT
From User-Agent: XML-RPC

subversion-1.2.3-2.1 has been pushed for FC4, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 3 Fedora Update System 2005-08-26 13:51:56 EDT
From User-Agent: XML-RPC

lesstif-0.93-36-6.FC3.2 has been pushed for FC3, which should resolve this issue.

If these issues are still present in this version, then please re-open this bug.
Comment 4 Michal Jaegermann 2006-01-11 14:54:07 EST
lesstif-0.93-36-6.FC3.2 source rpm indeed includes patch4 and patch5 which
should close issues, and %changelog indeed claims so, but in %setup section
of lesstif.spec these two patches are _not_ applied.
Comment 5 David Eisenstein 2006-02-04 04:34:03 EST
Michal, you work with Fedora Legacy, don't you?  Since you've been in the 
source rpm, have you fixed that issue for your own system(s)?  Would you like
to submit a fixed .src.rpm for review so fixed packages can be released?
Comment 6 Michal Jaegermann 2006-02-04 13:26:05 EST
As it happens I do not any FC3 installation with lesstif installed and I do
not have any packages which would directly fit elsewhere as well.  I looked
at source rpm for other reasons.

With FC3 that fix is trivial.  One needs to add in specs two missing '%patch
...'  lines to apply existing patches and recompile.  Other distributions are likely
affected as well.  These can be fixed by recompiling there the same sources
although this will likely cause inconsequential version changes.
Comment 7 Donald Maner 2006-05-12 15:13:57 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have created the following SRPM for lesstif:

fc3:
162f165889b931a6e8f0d66a02fab82d4b0ec308
http://lance.maner.org/lesstif-0.93.36-6.FC3.3.legacy.src.rpm

* Fri May 12 2006 Donald Maner <donjr@pobox.com> 0.93.36-6.FC3.3-legacy

- add patches 4 and 5 to actually compile fixes for libXpm (#151640)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFEZN93pxMPKJzn2lIRAv2tAJ9/JRSPjLqRpS1TMYmqzWM5OxIbtwCcDtWq
7tkrKytMPfBi9NqdtOevHRw=
=3Q9s
-----END PGP SIGNATURE-----
Comment 8 David Eisenstein 2006-05-13 19:52:32 EDT
Thanks for submitting the .src.rpm, Donald!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source QA for lesstif-0.93.36-6.FC3.3.legacy:

162f165889b931a6e8f0d66a02fab82d4b0ec308__lesstif-0.93.36-6.FC3.3.legacy.src.rpm

- - sha1sums match
QA w/ rpm-build-compare.sh:
- - source integrity is good
- - spec file changes minimal
- - patches come from previous package where they were not applied.

+PUBLISH FC3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEZnEvxou1V/j9XZwRApffAJ94sCLfz8N/S2/0keLilNxhW/Xt6gCg82gd
QRTKSrNKhP55/tIA2S82Zo4=
=L6+a
-----END PGP SIGNATURE-----
Comment 9 David Eisenstein 2006-06-06 20:45:40 EDT
Created attachment 130648 [details]
Proposed updates-testing announcement

Packages are built on the build-server.  They need to be signed and pushed
to updates-testing.  Enclosed is the proposed announcement, which needs to
have sha1sums added.  Hope this helps.
Comment 10 David Lawrence 2006-07-17 23:21:01 EDT
QA_READY has been deprecated in favor of ON_QA. Please use ON_QA in the future.
Moving to ON_QA.
Comment 11 Matthew Miller 2007-04-10 15:15:40 EDT
Fedora Core 3 is now completely unmaintained. These bugs can't be fixed in that
version. If the issue still persists in current Fedora Core, please reopen.
Thank you, and sorry about this.

Note You need to log in before you can comment on or make changes to this bug.