Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 83598

Summary: x11-base/xorg-x11: More XPM issues (CAN-2005-0605)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: mgorny, wolf31o2, x11
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Description Flags
xpm-sec10.diff none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-28 13:16:29 UTC
With an unsigned i a buffer overflow will occur in loops
like for( i-- >= 0) { copy something }.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-28 13:17:36 UTC
Created attachment 52321 [details, diff]
Comment 2 Donnie Berkholz (RETIRED) gentoo-dev 2005-03-01 08:13:54 UTC
Yeah, I know. =\ Have you checked whether that patch applies cleanly to our stuff?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-01 08:39:24 UTC
No, I haven't checked and don't think koon has either.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 08:52:12 UTC
Patch applies cleanly to 6.8.0 with :

$ cd xc/extras/Xpm/lib/
$ patch -p0 < ~/xpm-sec10.diff
patching file scan.c
patching file create.c
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-03 02:49:00 UTC
Donnie: what's your timeframe on this ? I would like to know if I let the OpenMotif/LessTif advisories out or (if you're close) wait for Xorg to be ready and issue one for all...
Comment 6 Donnie Berkholz (RETIRED) gentoo-dev 2005-03-03 12:57:14 UTC
I can do it this weekend, hopefully tomorrow sometime, but not today.
Comment 7 Donnie Berkholz (RETIRED) gentoo-dev 2005-03-05 11:07:23 UTC
6.8.0-r5 and 6.8.2-r1 are in portage with the fix.

Arches that need to stable 6.8.2-r1:
ppc ppc64

Arches that need to stable 6.8.0-r5 or (at their option) 6.8.2-r1 instead:
everyone else -- x86 sparc alpha amd64 hppa arm mips ia64

The 6.7.0 series is not going to be fixed and will be pulled from portage, as will 6.8.0-r{3,4}, once the above is stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 02:03:16 UTC
Arches, please mark stable, following comment #7
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-06 04:05:39 UTC
6.8.2-r1 is stable on ppc.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-03-06 09:53:43 UTC
stable on ppc64
Comment 11 Danny van Dyk (RETIRED) gentoo-dev 2005-03-06 10:58:02 UTC
Stable on amd64.
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-07 15:35:34 UTC
Stable on alpha.
Comment 13 Stephen Becker (RETIRED) gentoo-dev 2005-03-09 06:02:09 UTC
mips good
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-09 13:10:07 UTC
x86, sparc, amd64 please mark stable.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-09 13:12:59 UTC
woops, sorry kugelfang.
Comment 16 Ferris McCormick (RETIRED) gentoo-dev 2005-03-10 14:30:54 UTC
6.8.2-r1 is stable for sparc.
Comment 17 Donnie Berkholz (RETIRED) gentoo-dev 2005-03-10 19:22:29 UTC
Stabled 6.8.0-r5 on x86.
Comment 18 Luke Macken (RETIRED) gentoo-dev 2005-03-12 10:37:21 UTC
GLSA 200503-15

arm/hppa/ia64, please mark stable to benefit from GLSA.
Comment 19 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:02:04 UTC
Already stable on hppa