Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 78483 - x11-libs/lesstif Xpm lib vulnerable to CAN-2004-0914
Summary: x11-libs/lesstif Xpm lib vulnerable to CAN-2004-0914
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2005-01-18 02:34 UTC by Thierry Carrez (RETIRED)
Modified: 2005-06-26 05:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-01-18 02:34:58 UTC
Extracts from bug 71642:

libXpm is a library for manipulating pixmaps used by the X Window
System.  After the release of the X11R6.8.1 security release, a more
extensive security audit was made. 

Several integer overflows and out-of-bounds memory accesses have been
identified and fixed, a path traversal has been fixed and shell command 
execution has been made more secure. This new fix also addresses possible 
endless loops and memory leaks. These vulnerabilities may allow an 
application linking against libXpm to crash, to become unusable, or to 
execute other code of a user running an application linked against libXpm.

All X.Org release up to and including R6.8.1 are vulnerable. Products like 
XFree86, lesstif and OpenMotif, which include libXpm are likely to be 

This is something we should verify.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-01-19 08:25:48 UTC
CAN-2004-0914 patch needs to be applied. In file lesstif-0.93.97/lib/Xm-2.1/Xpm.c are unpatched functions so I think lesstif vulnerable and has to be fixed, too.

For example right at the start:
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
should be
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-19 10:56:10 UTC
Heinrich you did the last security bump, please advise.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-27 05:39:41 UTC
lesstiff 0.94 fixes all the Xpm thingies. A bump to that version will solve this bug.
Comment 4 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-01 10:31:16 UTC
lessitf-0.94.0 is now in portage
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-01 13:20:09 UTC
arches, pls test and mark stable...

current KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~ppc64 ~hppa ~alpha ~ppc-macos"
target KEYWORDS="x86 ppc sparc amd64 ppc64 hppa ~alpha ppc-macos"
Comment 6 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-01 14:06:25 UTC
use lesstif-0.94.0.ebuild for now, -r1 is hardmasked to switch to virtual/motif later
Comment 7 Heinrich Wendel (RETIRED) gentoo-dev 2005-02-01 14:07:20 UTC
stable on x86 and amd64
Comment 8 Olivier Crete (RETIRED) gentoo-dev 2005-02-01 14:18:30 UTC
removing x86 too since lanius marked it..
Comment 9 Jason Wever (RETIRED) gentoo-dev 2005-02-02 04:17:35 UTC
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2005-02-02 11:48:54 UTC
stable on ppc64
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-04 15:48:56 UTC
Stable on ppc. Sorry for the delay.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-06 13:12:38 UTC
GLSA 200502-06
hppa, ppc-macos: please mark stable to benefit from GLSA
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:43:00 UTC
Already stable on hppa