Extracts from bug 71642: ===================================================================== libXpm is a library for manipulating pixmaps used by the X Window System. After the release of the X11R6.8.1 security release, a more extensive security audit was made. Several integer overflows and out-of-bounds memory accesses have been identified and fixed, a path traversal has been fixed and shell command execution has been made more secure. This new fix also addresses possible endless loops and memory leaks. These vulnerabilities may allow an application linking against libXpm to crash, to become unusable, or to execute other code of a user running an application linked against libXpm. All X.Org release up to and including R6.8.1 are vulnerable. Products like XFree86, lesstif and OpenMotif, which include libXpm are likely to be affected. ============================================================ This is something we should verify.
CAN-2004-0914 patch needs to be applied. In file lesstif-0.93.97/lib/Xm-2.1/Xpm.c are unpatched functions so I think lesstif vulnerable and has to be fixed, too. For example right at the start: LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors)); should be LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
Heinrich you did the last security bump, please advise.
lesstiff 0.94 fixes all the Xpm thingies. A bump to that version will solve this bug.
lessitf-0.94.0 is now in portage
arches, pls test and mark stable... lesstif-0.94.0-r1.ebuild: current KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~ppc64 ~hppa ~alpha ~ppc-macos" target KEYWORDS="x86 ppc sparc amd64 ppc64 hppa ~alpha ppc-macos"
use lesstif-0.94.0.ebuild for now, -r1 is hardmasked to switch to virtual/motif later
stable on x86 and amd64
removing x86 too since lanius marked it..
sparc'd
stable on ppc64
Stable on ppc. Sorry for the delay.
GLSA 200502-06 hppa, ppc-macos: please mark stable to benefit from GLSA
Already stable on hppa