Bug 152803 - CAN-2004-0687,0688,0914, CAN-2005-0605 - lesstiff integer overflows in libXpm
CAN-2004-0687,0688,0914, CAN-2005-0605 - lesstiff integer overflows in libXpm
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: lesstif (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, 2, LEGACY, rh73, rh90
: Security
: 135081 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-08 06:49 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-09 20:19:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:01 EST
Multiple integer overflows in xpmParseColors in parse.c for libXpm
before 6.8.1 allow remote attackers to execute arbitrary code via a
malformed XPM image file.

This library itself is contained in lesstif.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135081
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135080
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135079
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135076



------- Additional Comments From michal@harddata.com 2004-10-23 17:02:07 ----

AFAICS lesstif, at least on rh73, is configured
'--with-xpm-libraries=/usr/X11R6/lib' and is not using its own version of libXpm
even if it supplies the code.  Hence the problem does not seem to exist.
I do not know about other distributions and I would not mind the second
opinion.

It is another question that the version of lesstif used is somewhat obsolete.



------- Additional Comments From michal@harddata.com 2004-10-23 17:42:19 ----

I take the previous comment back.  Although what I said is true on the second
look libXm provides functions like _LtXpmCreateXpmImageFromImage and these
are, from a quick scan, not wrappers to call libXpm but copies.  Sixty four
functions of that sort. Sigh!



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-04 16:33:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated lesstif packages to QA for rh73, rh90, and fc1:
  
- - CAN-2004-0688 should now be fixed
- - should compile cleanly under mach
 
changelogs:
 
rh73:
* Thu Nov 04 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.93.18-2.1.legacy
- - apply patch for CAN-2004-0688 (FL #2142)
- - truncated changelog because it was somehow breaking things
 
rh9:
* Thu Nov 04 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.93.36-3.1.legacy
- - apply patch for CAN-2004-0688 (FL #2142)
 
fc1:
* Thu Nov 04 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.93.36-4.1.legacy
- - apply patch for CAN-2004-0688 (FL #2142)
  
sha1sums:
 
rh73:
a5c176e43664fe6c0189425b7f915d45ef2f801f  lesstif-0.93.18-2.1.legacy.i386.rpm
3f193cc6b358d456ff493e7b5015db80c85fede5  lesstif-0.93.18-2.1.legacy.src.rpm
ffeb787c3719c46cbf9cdcb78ecf24c582d104bd  lesstif-devel-0.93.18-2.1.legacy.i386.rpm
  
rh9:
3f274a2f1fc61d1a4abf679313df23b89b7eec7c  lesstif-0.93.36-3.1.legacy.i386.rpm
5d7b0bd938ce4f810688d7352bbb33fd9924b432  lesstif-0.93.36-3.1.legacy.src.rpm
dd04ad356c473348450e3dcdaee6cf697ca51ca7 
lesstif-debuginfo-0.93.36-3.1.legacy.i386.rpm
4185b9a76c6591097d6d8392f69776472e072cd6  lesstif-devel-0.93.36-3.1.legacy.i386.rpm
 
fc1:
80c0ffc9259e8fbf655757d608cd69b926418d7f  lesstif-0.93.36-4.1.legacy.i386.rpm
1e289b57784fac794643531f335fedba1d7dd96e  lesstif-0.93.36-4.1.legacy.src.rpm
e3cf26ecb060a0baa0119b5e931481b02adcf46e 
lesstif-debuginfo-0.93.36-4.1.legacy.i386.rpm
76a72649f6060c0f4e18d9be4ece7857bc8db3ec  lesstif-devel-0.93.36-4.1.legacy.i386.rpm
 
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.18-2.1.legacy.i386.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-3.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-3.1.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-4.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-4.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBiuYltU2XAt1OWnsRAn64AJ4jDsZUEOTD3GRD6ylmo8KXLAstOgCfcMA2
HOuD/MQ801ZFOI3aaImMiwM=
=bVco
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-03 13:17:52 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated lesstif packages to QA for rh73, rh9, and fc1:
 
- - added the sec8-ammendment to the CAN-2004-0914 patch
- - poke around on http://lesstif.sf.net/ for cvs
 
changelogs:
 
rh73:
* Fri Dec 03 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.93.18-2.2.legacy
- - apply diff from current lesstif cvs that removes the monolithic
  Xpm.c file and breaks it into the latest versions of the separate
  libXpm files.  this should fix  CAN-2004-0667, CAN-2004-0668, and
  CAN-2004-0914 (FL #2142)
 
rh9:
* Fri Dec 03 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.93.36-3.2.legacy
- - apply diff from current lesstif cvs that removes the monolithic
  Xpm.c file and breaks it into the latest versions of the separate
  libXpm files.  this should fix  CAN-2004-0667, CAN-2004-0668, and
  CAN-2004-0914 (FL #2142)
 
fc1:
* Fri Dec 03 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.93.36-4.2.legacy
- - apply diff from current lesstif cvs that removes the monolithic
  Xpm.c file and breaks it into the latest versions of the separate
  libXpm files.  this should fix  CAN-2004-0667, CAN-2004-0668, and
  CAN-2004-0914 (FL #2142)
 
this file is available at:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2142.txt.asc
 
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.18-2.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.18-2.2.legacy.i386.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-3.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-3.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-3.2.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-0.93.36-4.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-debuginfo-0.93.36-4.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/lesstif-devel-0.93.36-4.2.legacy.i386.rpm
 
sha1sums:
 
rh73:
a4923348ca44eddc4c7ee986d5bd0cf092ea47e5  lesstif-0.93.18-2.2.legacy.i386.rpm
013abd3bc79c32f445ff3d149ed234ec95e6bf93  lesstif-0.93.18-2.2.legacy.src.rpm
e15c9db716d5bb5d246db8885359040ce15af0ac  lesstif-devel-0.93.18-2.2.legacy.i386.rpm
 
rh9:
d0b6c486b9187002863d230276ec5ff62c139116  lesstif-0.93.36-3.2.legacy.i386.rpm
cb7f442f51a3b09ce9176675fd9c8b5746d8593a  lesstif-0.93.36-3.2.legacy.src.rpm
cd21cd54bd421e5d0ca16bce6d3735d6c9e9ed27 
lesstif-debuginfo-0.93.36-3.2.legacy.i386.rpm
f689c21309de5c051b42c113d969b3746c60fee1  lesstif-devel-0.93.36-3.2.legacy.i386.rpm
 
fc1:
094f0f74702f53bc23417f743d386cb8b8699a5c  lesstif-0.93.36-4.2.legacy.i386.rpm
cf7bd4db6b246c0ba736712ba1c094711b1c067e  lesstif-0.93.36-4.2.legacy.src.rpm
00f18634d5cd8395f0b5745647c179eee423520b 
lesstif-debuginfo-0.93.36-4.2.legacy.i386.rpm
84ae0146756cb3d169b217f658b17e4cac035b1c  lesstif-devel-0.93.36-4.2.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBsPOMtU2XAt1OWnsRAp/DAJ9RDExCLTcTlSAwufxL160Ww4PudQCg4Fut
QfwrPuANDocbH4Ef1YQ6xOA=
=0Mtn
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-15 04:09:18 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                  
I've gone through the all the
 - spec files are sane
 - the original tarballs untouched
 - the jumbo security patch has been compared against the CVS,
   and it's OK.
                                                                               
                                                                  
(note: I'd avoid using such CVS patches, because it took over 30 mins to
find a way to review its correctness.)
                                                                               
                                                                  
I have not tested the compilation or that the package works in itself, just
that it seems valid.  A job for those who'll vote for verify.
                                                                               
                                                                  
+PUBLISH FC1,RHL9,RHL73
                                                                               
                                                                  
013abd3bc79c32f445ff3d149ed234ec95e6bf93  lesstif-0.93.18-2.2.legacy.src.rpm
cb7f442f51a3b09ce9176675fd9c8b5746d8593a  lesstif-0.93.36-3.2.legacy.src.rpm
cf7bd4db6b246c0ba736712ba1c094711b1c067e  lesstif-0.93.36-4.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                                                                  
iD8DBQFBwEVxGHbTkzxSL7QRAp8AAKChok2KeqYYLAA43osRFvMs3W0/UACeJA2u
AUD9KM8Osk+k4umIkJfY2do=
=ybmH
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-15 05:07:43 ----

cvs patches aren't a problem in general.  the problem in this case is that there
was a massive change- the authors realized the libxpm code they had was very
difficult to maintain.  the change they made makes the libxpm code in lesstif
far more maintainable for the future than what it was.

so anyway, i stand by the massive cvs patch.  i thought it was the lesser of the
lesstif evils.

thanks for QA'ing it. :)



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-01-08 12:26:52 ----



*** This bug has been marked as a duplicate of 2344 ***



------- Additional Comments From dom@earth.li 2005-01-08 15:33:52 ----

Why was this bug marked a duplicate of the PHP one? The problems are entirely
different.



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-01-09 12:45:54 ----

it was a mistake.  i was trying to mark bug 2141 as a dupe of bug 2344.

sorry about that...



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-09 16:16:13 ----

Packages were pushed to updates-testing.



------- Additional Comments From pekkas@netcore.fi 2005-02-21 22:54:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                    
QA:
 - GPG signature OK
 - rpm-build-compare on the binaries looks reasonable
 - installing works fine
                                                                               
                    
Unfortunately, I couldn't find _any_ applications which would use lesstif
(all of them already use openmotif), so I couldn't test how well this works
or not, but I'll give this:
                                                                               
                    
+ 70% PUBLISH RHL9
                                                                               
                    
This should be good enough if some other dist version is properly verified..
                                                                               
                    
acd0cd8114977e042b846ed551dc3bbc4bceb5da  lesstif-0.93.36-3.2.legacy.i386.rpm
2214729452e380e0d7f792a44fb319f570b8cb92  lesstif-devel-0.93.36-3.2.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                    
iD8DBQFCGvM4GHbTkzxSL7QRAk9zAJwOP/qeYt92/F1YJ9LSWFZ9lTvCtQCePE5N
Vg0TVutIsK47/fx9G4JBgec=
=Pode
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-02-21 23:00:54 ----

Sigh.  My PUBLISH above should have been VERIFY, of course..



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2142 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2142
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-06-29 05:09:09 EDT
I'll mark RHL9 verified so we can move on with this unless others found problems
with it..
Comment 2 Pekka Savola 2005-07-27 01:48:45 EDT
I fear we need new packages for the new issues, see #135081..
Comment 3 Marc Deslauriers 2005-07-27 18:55:15 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh73, rh9 and fc1:

b7c53a00054b1d9fa2c8d36c3e88c014ba2a74ea  7.3/lesstif-0.93.18-2.3.legacy.i386.rpm
470a3ff220ba45d43c9a194860569a4f9523ab25  7.3/lesstif-0.93.18-2.3.legacy.src.rpm
76c8731e647cd5f66b2a58fa884e27375f25036f 
7.3/lesstif-devel-0.93.18-2.3.legacy.i386.rpm
45360ee96607102354140aa6018c9a5eedd18f4e  9/lesstif-0.93.36-3.3.legacy.i386.rpm
363af3ebc117eb7ccb15348d780add61cffcffb5  9/lesstif-0.93.36-3.3.legacy.src.rpm
7c9a53409515303e92848204fd2629c837eb16b7 
9/lesstif-devel-0.93.36-3.3.legacy.i386.rpm
d63c5060121f6624370ad52d9d19c1c4ca683361  1/lesstif-0.93.36-4.3.legacy.i386.rpm
0b3aea406881dd78a610f53c84cf74237d6efa0b  1/lesstif-0.93.36-4.3.legacy.src.rpm
a9b8c617d1e99ffa76b1b34821d50af9b9aa73f4 
1/lesstif-devel-0.93.36-4.3.legacy.i386.rpm

Changelog:
* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 0.93.36-4.3.legacy
- - Use the RHEL patches for CAN-2004-0667, CAN-2004-0668 and CAN-2004-0914
- - fixed possible libXpm overflows (CAN-2005-0605)

http://www.infostrategique.com/linuxrpms/legacy/7.3/lesstif-0.93.18-2.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/lesstif-0.93.36-3.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/lesstif-0.93.36-4.3.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC6BDULMAs/0C4zNoRAlzLAKCDw84u6KH/Qw8ebYSX57mrcXbjqACggM3V
LD/lOWY//oDHxvVeo+0GQso=
=uZb4
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2005-07-28 02:24:34 EDT
I'll also move the tracking of FC2 here..

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity good
 - patches identical to RHEL21
 
+PUBLISH RHL73, RHL9, FC1
 
470a3ff220ba45d43c9a194860569a4f9523ab25  lesstif-0.93.18-2.3.legacy.src.rpm
363af3ebc117eb7ccb15348d780add61cffcffb5  lesstif-0.93.36-3.3.legacy.src.rpm
0b3aea406881dd78a610f53c84cf74237d6efa0b  lesstif-0.93.36-4.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFC6HnsGHbTkzxSL7QRAqUZAKCGa8VJEXEbq07UCKAu5qOgZE2jtQCfYv0R
bg9JYH5WClD60H03o7vp9j4=
=2Iwk
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-07-28 02:25:42 EDT
*** Bug 135081 has been marked as a duplicate of this bug. ***
Comment 6 Marc Deslauriers 2005-11-18 00:35:05 EST
Packages were pushed to updates-testing.
Comment 7 Eric Jon Rostetter 2005-11-18 15:30:32 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                                
++VERIFY for RHL 9
                                                                                
Package: lesstif-0.93.36-3.3.legacy.i386.rpm
SHA1 checksum a4a8e6e888234cb0751800c181430db4c7b524e6 verifies okay.
                                                                                
Package: lesstif-devel-0.93.36-3.3.legacy.i386.rpm
SHA1 checksum 0804ad3304bf12be7f1ab71a463e980f4ea17975 verifies okay.
 
Both packages installed fine.  Tested some programs which depend on
lesstif and all seem to work fine.
 
Vote for release for RHL 9  ++VERIFY
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFDfjh54jZRbknHoPIRAi+tAJ0ZHYyA1oIQokC/16VHq4kbIdW+wgCgovXx
Dkd48qwqJc0zlHu+QRUnKgQ=
=1ltH
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2005-11-18 15:37:27 EST
Thanks!
Comment 9 Pekka Savola 2005-12-17 01:53:34 EST
Timeout over.
Comment 10 Marc Deslauriers 2006-01-09 20:19:05 EST
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.