Opened 7 months ago

Closed 7 months ago

#18671 closed enhancement (fixed)

libXpm-3.5.17

Reported by: Xi Ruoyao Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New patch version with security fixes for CVE-2023-43788 and CVE-2023-43789.

Change History (4)

comment:1 by Xi Ruoyao, 7 months ago

This release contains fixes for the issues reported in today's security advisory: https://lists.x.org/archives/xorg-announce/2023-October/003424.html

Alan Coopersmith (10):

  • Set close-on-exec when opening files
  • test: use g_pattern_spec_match_string if available
  • Explicitly mark non-static symbols as export or hidden
  • Fix CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
  • test: Add test case for CVE-2023-43789 (corrupt colormap info)
  • Fix CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
  • test: Add test case for CVE-2023-43786 (stack exhaustion in PutImage)
  • Avoid CVE-2023-43786: stack exhaustion in XPutImage()
  • test: Add test case for CVE-2023-43787 (integer overflow in XCreateImage)
  • libXpm 3.5.17

Yair Mizrahi (1):

  • Avoid CVE-2023-43787 (integer overflow in XCreateImage)

comment:2 by Douglas R. Reno, 7 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 7 months ago

The first part of this is in #18670 

4) CVE-2023-43788 libXpm: out of bounds read in XpmCreateXpmImageFromBuffer()

Introduced in: unknown - prior to xpm-3.4k [released 1998]
Fixed in: libXpm 3.5.17
Found by: Alan Coopersmith of Oracle Solaris Engineering
Fixed by: Alan Coopersmith of Oracle Solaris Engineering

When the test case for CVE-2022-46285 (fixed in libXpm 3.5.15) was run
with the Address Sanitizer enabled, it found an out-of-bounds read in
ParseComment() when reading from a memory buffer instead of a file, as
it continued to look for the closing comment marker past the end of the
buffer.

Fix:
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/2fa554b01ef6079a9b35df9332bdc4f139ed67e0

5) CVE-2023-43789 libXpm: out of bounds read on XPM with corrupted colormap

Introduced in: unknown - prior to xpm-3.4k [released 1998]
Fixed in: libXpm 3.5.17
Found by: Alan Coopersmith of Oracle Solaris Engineering
Fixed by: Alan Coopersmith of Oracle Solaris Engineering

Fuzzing with clang's -fsanitize/libfuzzer generated an XPM file with a
corrupted colormap section which caused libXpm to read out of bounds.

Fix:
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51

----------------------------------------------------------------------------

comment:4 by Douglas R. Reno, 7 months ago

Resolution: fixed
Status: assignedclosed

Fixed at ed5f665e6125fe52dc3fc7ab0b3b127e17e66c92

SA-12.0-020 issued

Note: See TracTickets for help on using tickets.