First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 78483
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 78483 depends on: Show dependency tree
Bug 78483 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-01-18 02:34 0000 
Extracts from bug 71642:

=====================================================================
libXpm is a library for manipulating pixmaps used by the X Window
System.  After the release of the X11R6.8.1 security release, a more
extensive security audit was made. 

Several integer overflows and out-of-bounds memory accesses have been
identified and fixed, a path traversal has been fixed and shell command 
execution has been made more secure. This new fix also addresses possible 
endless loops and memory leaks. These vulnerabilities may allow an 
application linking against libXpm to crash, to become unusable, or to 
execute other code of a user running an application linked against libXpm.

All X.Org release up to and including R6.8.1 are vulnerable. Products like 
XFree86, lesstif and OpenMotif, which include libXpm are likely to be 
affected.
============================================================

This is something we should verify.

------- Comment #1 From Stefan Cornelius (RETIRED) 2005-01-19 08:25:48 0000 ------- 
CAN-2004-0914 patch needs to be applied. In file
lesstif-0.93.97/lib/Xm-2.1/Xpm.c are unpatched functions so I think lesstif
vulnerable and has to be fixed, too.

For example right at the start:
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
should be
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-01-19 10:56:10 0000 ------- 
Heinrich you did the last security bump, please advise.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-01-27 05:39:41 0000 ------- 
lesstiff 0.94 fixes all the Xpm thingies. A bump to that version will solve
this bug.

------- Comment #4 From Heinrich Wendel (RETIRED) 2005-02-01 10:31:16 0000 ------- 
lessitf-0.94.0 is now in portage

------- Comment #5 From Matthias Geerdsen 2005-02-01 13:20:09 0000 ------- 
arches, pls test and mark stable...

lesstif-0.94.0-r1.ebuild:
current KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~ppc64 ~hppa ~alpha ~ppc-macos"
target KEYWORDS="x86 ppc sparc amd64 ppc64 hppa ~alpha ppc-macos"

------- Comment #6 From Heinrich Wendel (RETIRED) 2005-02-01 14:06:25 0000 ------- 
use lesstif-0.94.0.ebuild for now, -r1 is hardmasked to switch to virtual/motif
later

------- Comment #7 From Heinrich Wendel (RETIRED) 2005-02-01 14:07:20 0000 ------- 
stable on x86 and amd64

------- Comment #8 From Olivier Crete 2005-02-01 14:18:30 0000 ------- 
removing x86 too since lanius marked it..

------- Comment #9 From Jason Wever (RETIRED) 2005-02-02 04:17:35 0000 ------- 
sparc'd

------- Comment #10 From Markus Rothe 2005-02-02 11:48:54 0000 ------- 
stable on ppc64

------- Comment #11 From Michael Hanselmann (hansmi) (RETIRED) 2005-02-04 15:48:56 0000 ------- 
Stable on ppc. Sorry for the delay.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-02-06 13:12:38 0000 ------- 
GLSA 200502-06
hppa, ppc-macos: please mark stable to benefit from GLSA

------- Comment #13 From René Nussbaumer 2005-06-26 05:43:00 0000 ------- 
Already stable on hppa
First Last Prev Next    No search results available      Search page      Enter new bug