Bugzilla Bug 88742

A new XV Jumbo-patches version has been released that fixes security issues:

20050410:
 - fix for YCbCr oversaturated-green bug(s) in TIFF decoder (GRR)
 - provisional fix for contiguous tiled TIFFs with bottom-* orientation (GRR)
 - fixes for gcc 3.3 -Wall warnings (GRR)
 - fix for incorrect 16/24-bit display of xwd dumps (SJT)
 - *SECURITY* fix for multiple input-validation bugs (OpenBSD/SuSE, Gentoo, GRR)
   (this also completes the partial mktemp() security fix listed above)
 - fix for (probable) 24-bit endianness bug in fixpix code (GRR)

We should include those fixes in our XV patches...

*** Bug 86894 has been marked as a duplicate of this bug. ***

Good luck, Tavis :)

...

Additional issues discovered while merging Greg's patches:

xvpds.c: at least a few dozen obviously exploitable overflows in the processing
    and manipulation of pds comments (starting around line ~400, you can't
    miss them, sscanf(), strcat() (line ~452, a few more starting ~650), etc)
xvpds.c: format string issues, via SetISTR() (around line ~665)
xvtiff.c: format string issue parsing errors returned from tiff
xvps.c: insufficient shell metacharacter protection from malformed filenames
    (if invoking xv via mailcap, pluggerrc, etc).
xv.c: ditto
xvdir.c: uses system ("rm -rf %s") without quoting.

My confidence in the code is fairly low, these issues were easy to spot, and spending lots of time fixing proprietary software for free isnt much fun (no matter how much i'm fond of the package).

There's probably more, a patch is attached for the things I could see, should we consider masking it? 

Created an attachment (id=56036) [details]
quick patch for some issues

Created an attachment (id=56161) [details]
patch cleaned up by werner fink of suse.

xv-3.10a-r11 has been committed.

Arches, please test and mark stable (if stable)

stable on amd64

sparc done.

Stable on ppc.

stable on ppc64

Er...judging by the massive spike in bandwidth on my site on 2005-04-15 
(virtually all of which was via the same version of wget (1.9.1) and with
no referrer), I'm guessing y'all might be "emerging" directly off of the
bzip2 archive there.  That's OK--it probably should have occurred to me
that this might happen--but insofar as it's about to start costing me
actual money, it will break as soon as freshmeat updates their links.
The new location is on SourceForge, and the links are already updated
on the URL listed above, so feel free to change yours accordingly at
any time.

(And if it wasn't you, then somebody else is going to be in for a surprise
this fine Sunday morning. ;-) )

Thanks, 
  Greg

P.S.  http://pobox.com/~newt/greg_xv.html is a safer long-term URL.

Greg: Apologies, fetching from the upstream distribution site is only supposed
to be a last resort, we have a mirroring system that should automatically fetch
the tarball and prevent that from happening, apparently there was a lag before
that kicked in and caused a bandwidth spike for you.

I've manually moved it onto our mirror system, so that should stop very soon,
very sorry about that :)

Not a problem, Tavis, but thanks for the quick response anyway!

Stable on alpha.

Stable on ia64."

GLSA 200504-17

hppa, mips, ppc-macos please remember to mark stable to benifit from GLSA.

ppc-macos would love to mark it stable, but that would be assuming it works
first, which it does not.
We're working on it.

Marked stable. Sorry about the delay - our strategic lead had indicated that he
would take care of this.

Stable on hppa

marked xv-3.10a-r12 ppc-macos stable