Multiple integer overflows in xpmParseColors in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file. This library itself is contained in lesstif. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135081 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135080 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135079 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135076 ------- Additional Comments From michal 2004-10-23 17:02:07 ---- AFAICS lesstif, at least on rh73, is configured '--with-xpm-libraries=/usr/X11R6/lib' and is not using its own version of libXpm even if it supplies the code. Hence the problem does not seem to exist. I do not know about other distributions and I would not mind the second opinion. It is another question that the version of lesstif used is somewhat obsolete. ------- Additional Comments From michal 2004-10-23 17:42:19 ---- I take the previous comment back. Although what I said is true on the second look libXm provides functions like _LtXpmCreateXpmImageFromImage and these are, from a quick scan, not wrappers to call libXpm but copies. Sixty four functions of that sort. Sigh! ------- Additional Comments From rob.myers.edu 2004-11-04 16:33:28 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated lesstif packages to QA for rh73, rh90, and fc1: - - CAN-2004-0688 should now be fixed - - should compile cleanly under mach changelogs: rh73: * Thu Nov 04 2004 Rob Myers <rob.myers.edu> 0.93.18-2.1.legacy - - apply patch for CAN-2004-0688 (FL #2142) - - truncated changelog because it was somehow breaking things rh9: * Thu Nov 04 2004 Rob Myers <rob.myers.edu> 0.93.36-3.1.legacy - - apply patch for CAN-2004-0688 (FL #2142) fc1: * Thu Nov 04 2004 Rob Myers <rob.myers.edu> 0.93.36-4.1.legacy - - apply patch for CAN-2004-0688 (FL #2142) sha1sums: rh73: a5c176e43664fe6c0189425b7f915d45ef2f801f lesstif-0.93.18-2.1.legacy.i386.rpm 3f193cc6b358d456ff493e7b5015db80c85fede5 lesstif-0.93.18-2.1.legacy.src.rpm ffeb787c3719c46cbf9cdcb78ecf24c582d104bd lesstif-devel-0.93.18-2.1.legacy.i386.rpm rh9: 3f274a2f1fc61d1a4abf679313df23b89b7eec7c lesstif-0.93.36-3.1.legacy.i386.rpm 5d7b0bd938ce4f810688d7352bbb33fd9924b432 lesstif-0.93.36-3.1.legacy.src.rpm dd04ad356c473348450e3dcdaee6cf697ca51ca7 lesstif-debuginfo-0.93.36-3.1.legacy.i386.rpm 4185b9a76c6591097d6d8392f69776472e072cd6 lesstif-devel-0.93.36-3.1.legacy.i386.rpm fc1: 80c0ffc9259e8fbf655757d608cd69b926418d7f lesstif-0.93.36-4.1.legacy.i386.rpm 1e289b57784fac794643531f335fedba1d7dd96e lesstif-0.93.36-4.1.legacy.src.rpm e3cf26ecb060a0baa0119b5e931481b02adcf46e lesstif-debuginfo-0.93.36-4.1.legacy.i386.rpm 76a72649f6060c0f4e18d9be4ece7857bc8db3ec lesstif-devel-0.93.36-4.1.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.18-2.1.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-3.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-3.1.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-4.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-4.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBiuYltU2XAt1OWnsRAn64AJ4jDsZUEOTD3GRD6ylmo8KXLAstOgCfcMA2 HOuD/MQ801ZFOI3aaImMiwM= =bVco -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2004-12-03 13:17:52 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated lesstif packages to QA for rh73, rh9, and fc1: - - added the sec8-ammendment to the CAN-2004-0914 patch - - poke around on http://lesstif.sf.net/ for cvs changelogs: rh73: * Fri Dec 03 2004 Rob Myers <rob.myers.edu> 0.93.18-2.2.legacy - - apply diff from current lesstif cvs that removes the monolithic Xpm.c file and breaks it into the latest versions of the separate libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and CAN-2004-0914 (FL #2142) rh9: * Fri Dec 03 2004 Rob Myers <rob.myers.edu> 0.93.36-3.2.legacy - - apply diff from current lesstif cvs that removes the monolithic Xpm.c file and breaks it into the latest versions of the separate libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and CAN-2004-0914 (FL #2142) fc1: * Fri Dec 03 2004 Rob Myers <rob.myers.edu> 0.93.36-4.2.legacy - - apply diff from current lesstif cvs that removes the monolithic Xpm.c file and breaks it into the latest versions of the separate libXpm files. this should fix CAN-2004-0667, CAN-2004-0668, and CAN-2004-0914 (FL #2142) this file is available at: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2142.txt.asc files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.18-2.2.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-3.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-3.2.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.2.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-4.2.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-4.2.legacy.i386.rpm sha1sums: rh73: a4923348ca44eddc4c7ee986d5bd0cf092ea47e5 lesstif-0.93.18-2.2.legacy.i386.rpm 013abd3bc79c32f445ff3d149ed234ec95e6bf93 lesstif-0.93.18-2.2.legacy.src.rpm e15c9db716d5bb5d246db8885359040ce15af0ac lesstif-devel-0.93.18-2.2.legacy.i386.rpm rh9: d0b6c486b9187002863d230276ec5ff62c139116 lesstif-0.93.36-3.2.legacy.i386.rpm cb7f442f51a3b09ce9176675fd9c8b5746d8593a lesstif-0.93.36-3.2.legacy.src.rpm cd21cd54bd421e5d0ca16bce6d3735d6c9e9ed27 lesstif-debuginfo-0.93.36-3.2.legacy.i386.rpm f689c21309de5c051b42c113d969b3746c60fee1 lesstif-devel-0.93.36-3.2.legacy.i386.rpm fc1: 094f0f74702f53bc23417f743d386cb8b8699a5c lesstif-0.93.36-4.2.legacy.i386.rpm cf7bd4db6b246c0ba736712ba1c094711b1c067e lesstif-0.93.36-4.2.legacy.src.rpm 00f18634d5cd8395f0b5745647c179eee423520b lesstif-debuginfo-0.93.36-4.2.legacy.i386.rpm 84ae0146756cb3d169b217f658b17e4cac035b1c lesstif-devel-0.93.36-4.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBsPOMtU2XAt1OWnsRAp/DAJ9RDExCLTcTlSAwufxL160Ww4PudQCg4Fut QfwrPuANDocbH4Ef1YQ6xOA= =0Mtn -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2004-12-15 04:09:18 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've gone through the all the - spec files are sane - the original tarballs untouched - the jumbo security patch has been compared against the CVS, and it's OK. (note: I'd avoid using such CVS patches, because it took over 30 mins to find a way to review its correctness.) I have not tested the compilation or that the package works in itself, just that it seems valid. A job for those who'll vote for verify. +PUBLISH FC1,RHL9,RHL73 013abd3bc79c32f445ff3d149ed234ec95e6bf93 lesstif-0.93.18-2.2.legacy.src.rpm cb7f442f51a3b09ce9176675fd9c8b5746d8593a lesstif-0.93.36-3.2.legacy.src.rpm cf7bd4db6b246c0ba736712ba1c094711b1c067e lesstif-0.93.36-4.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBwEVxGHbTkzxSL7QRAp8AAKChok2KeqYYLAA43osRFvMs3W0/UACeJA2u AUD9KM8Osk+k4umIkJfY2do= =ybmH -----END PGP SIGNATURE----- ------- Additional Comments From rob.myers.edu 2004-12-15 05:07:43 ---- cvs patches aren't a problem in general. the problem in this case is that there was a massive change- the authors realized the libxpm code they had was very difficult to maintain. the change they made makes the libxpm code in lesstif far more maintainable for the future than what it was. so anyway, i stand by the massive cvs patch. i thought it was the lesser of the lesstif evils. thanks for QA'ing it. :) ------- Additional Comments From bugzilla.fedora.us 2005-01-08 12:26:52 ---- *** This bug has been marked as a duplicate of 2344 *** ------- Additional Comments From dom 2005-01-08 15:33:52 ---- Why was this bug marked a duplicate of the PHP one? The problems are entirely different. ------- Additional Comments From bugzilla.fedora.us 2005-01-09 12:45:54 ---- it was a mistake. i was trying to mark bug 2141 as a dupe of bug 2344. sorry about that... ------- Additional Comments From marcdeslauriers 2005-02-09 16:16:13 ---- Packages were pushed to updates-testing. ------- Additional Comments From pekkas 2005-02-21 22:54:36 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA: - GPG signature OK - rpm-build-compare on the binaries looks reasonable - installing works fine Unfortunately, I couldn't find _any_ applications which would use lesstif (all of them already use openmotif), so I couldn't test how well this works or not, but I'll give this: + 70% PUBLISH RHL9 This should be good enough if some other dist version is properly verified.. acd0cd8114977e042b846ed551dc3bbc4bceb5da lesstif-0.93.36-3.2.legacy.i386.rpm 2214729452e380e0d7f792a44fb319f570b8cb92 lesstif-devel-0.93.36-3.2.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCGvM4GHbTkzxSL7QRAk9zAJwOP/qeYt92/F1YJ9LSWFZ9lTvCtQCePE5N Vg0TVutIsK47/fx9G4JBgec= =Pode -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-02-21 23:00:54 ---- Sigh. My PUBLISH above should have been VERIFY, of course.. ------- Bug moved to this database by dkl 2005-03-30 18:28 ------- This bug previously known as bug 2142 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2142 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
I'll mark RHL9 verified so we can move on with this unless others found problems with it..
I fear we need new packages for the new issues, see #135081..
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for rh73, rh9 and fc1: b7c53a00054b1d9fa2c8d36c3e88c014ba2a74ea 7.3/lesstif-0.93.18-2.3.legacy.i386.rpm 470a3ff220ba45d43c9a194860569a4f9523ab25 7.3/lesstif-0.93.18-2.3.legacy.src.rpm 76c8731e647cd5f66b2a58fa884e27375f25036f 7.3/lesstif-devel-0.93.18-2.3.legacy.i386.rpm 45360ee96607102354140aa6018c9a5eedd18f4e 9/lesstif-0.93.36-3.3.legacy.i386.rpm 363af3ebc117eb7ccb15348d780add61cffcffb5 9/lesstif-0.93.36-3.3.legacy.src.rpm 7c9a53409515303e92848204fd2629c837eb16b7 9/lesstif-devel-0.93.36-3.3.legacy.i386.rpm d63c5060121f6624370ad52d9d19c1c4ca683361 1/lesstif-0.93.36-4.3.legacy.i386.rpm 0b3aea406881dd78a610f53c84cf74237d6efa0b 1/lesstif-0.93.36-4.3.legacy.src.rpm a9b8c617d1e99ffa76b1b34821d50af9b9aa73f4 1/lesstif-devel-0.93.36-4.3.legacy.i386.rpm Changelog: * Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers> 0.93.36-4.3.legacy - - Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914 - - fixed possible libXpm overflows (CAN-2005-0605) http://www.infostrategique.com/linuxrpms/legacy/7.3/lesstif-0.93.18-2.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/lesstif-0.93.36-3.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/lesstif-0.93.36-4.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC6BDULMAs/0C4zNoRAlzLAKCDw84u6KH/Qw8ebYSX57mrcXbjqACggM3V LD/lOWY//oDHxvVeo+0GQso= =uZb4 -----END PGP SIGNATURE-----
I'll also move the tracking of FC2 here.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - spec file changes minimal - source integrity good - patches identical to RHEL21 +PUBLISH RHL73, RHL9, FC1 470a3ff220ba45d43c9a194860569a4f9523ab25 lesstif-0.93.18-2.3.legacy.src.rpm 363af3ebc117eb7ccb15348d780add61cffcffb5 lesstif-0.93.36-3.3.legacy.src.rpm 0b3aea406881dd78a610f53c84cf74237d6efa0b lesstif-0.93.36-4.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFC6HnsGHbTkzxSL7QRAqUZAKCGa8VJEXEbq07UCKAu5qOgZE2jtQCfYv0R bg9JYH5WClD60H03o7vp9j4= =2Iwk -----END PGP SIGNATURE-----
*** Bug 135081 has been marked as a duplicate of this bug. ***
Packages were pushed to updates-testing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 Package: lesstif-0.93.36-3.3.legacy.i386.rpm SHA1 checksum a4a8e6e888234cb0751800c181430db4c7b524e6 verifies okay. Package: lesstif-devel-0.93.36-3.3.legacy.i386.rpm SHA1 checksum 0804ad3304bf12be7f1ab71a463e980f4ea17975 verifies okay. Both packages installed fine. Tested some programs which depend on lesstif and all seem to work fine. Vote for release for RHL 9 ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFDfjh54jZRbknHoPIRAi+tAJ0ZHYyA1oIQokC/16VHq4kbIdW+wgCgovXx Dkd48qwqJc0zlHu+QRUnKgQ= =1ltH -----END PGP SIGNATURE-----
Thanks!
Timeout over.
Packages were released to updates.