A new XV Jumbo-patches version has been released that fixes security issues: 20050410: - fix for YCbCr oversaturated-green bug(s) in TIFF decoder (GRR) - provisional fix for contiguous tiled TIFFs with bottom-* orientation (GRR) - fixes for gcc 3.3 -Wall warnings (GRR) - fix for incorrect 16/24-bit display of xwd dumps (SJT) - *SECURITY* fix for multiple input-validation bugs (OpenBSD/SuSE, Gentoo, GRR) (this also completes the partial mktemp() security fix listed above) - fix for (probable) 24-bit endianness bug in fixpix code (GRR) We should include those fixes in our XV patches...
*** Bug 86894 has been marked as a duplicate of this bug. ***
Good luck, Tavis :)
...
Additional issues discovered while merging Greg's patches: xvpds.c: at least a few dozen obviously exploitable overflows in the processing and manipulation of pds comments (starting around line ~400, you can't miss them, sscanf(), strcat() (line ~452, a few more starting ~650), etc) xvpds.c: format string issues, via SetISTR() (around line ~665) xvtiff.c: format string issue parsing errors returned from tiff xvps.c: insufficient shell metacharacter protection from malformed filenames (if invoking xv via mailcap, pluggerrc, etc). xv.c: ditto xvdir.c: uses system ("rm -rf %s") without quoting. My confidence in the code is fairly low, these issues were easy to spot, and spending lots of time fixing proprietary software for free isnt much fun (no matter how much i'm fond of the package). There's probably more, a patch is attached for the things I could see, should we consider masking it?
Created attachment 56036 [details, diff] quick patch for some issues
Created attachment 56161 [details, diff] patch cleaned up by werner fink of suse.
xv-3.10a-r11 has been committed.
Arches, please test and mark stable (if stable)
stable on amd64
sparc done.
Stable on ppc.
stable on ppc64
Er...judging by the massive spike in bandwidth on my site on 2005-04-15 (virtually all of which was via the same version of wget (1.9.1) and with no referrer), I'm guessing y'all might be "emerging" directly off of the bzip2 archive there. That's OK--it probably should have occurred to me that this might happen--but insofar as it's about to start costing me actual money, it will break as soon as freshmeat updates their links. The new location is on SourceForge, and the links are already updated on the URL listed above, so feel free to change yours accordingly at any time. (And if it wasn't you, then somebody else is going to be in for a surprise this fine Sunday morning. ;-) ) Thanks, Greg P.S. http://pobox.com/~newt/greg_xv.html is a safer long-term URL.
Greg: Apologies, fetching from the upstream distribution site is only supposed to be a last resort, we have a mirroring system that should automatically fetch the tarball and prevent that from happening, apparently there was a lag before that kicked in and caused a bandwidth spike for you. I've manually moved it onto our mirror system, so that should stop very soon, very sorry about that :)
Not a problem, Tavis, but thanks for the quick response anyway!
Stable on alpha.
Stable on ia64."
GLSA 200504-17 hppa, mips, ppc-macos please remember to mark stable to benifit from GLSA.
ppc-macos would love to mark it stable, but that would be assuming it works first, which it does not. We're working on it.
Marked stable. Sorry about the delay - our strategic lead had indicated that he would take care of this.
Stable on hppa
marked xv-3.10a-r12 ppc-macos stable
