Extracts from bug 71642:
libXpm is a library for manipulating pixmaps used by the X Window
System. After the release of the X11R6.8.1 security release, a more
extensive security audit was made.
Several integer overflows and out-of-bounds memory accesses have been
identified and fixed, a path traversal has been fixed and shell command
execution has been made more secure. This new fix also addresses possible
endless loops and memory leaks. These vulnerabilities may allow an
application linking against libXpm to crash, to become unusable, or to
execute other code of a user running an application linked against libXpm.
All X.Org release up to and including R6.8.1 are vulnerable. Products like
XFree86, lesstif and OpenMotif, which include libXpm are likely to be
This is something we should verify.
CAN-2004-0914 patch needs to be applied. In file lesstif-0.93.97/lib/Xm-2.1/Xpm.c are unpatched functions so I think lesstif vulnerable and has to be fixed, too.
For example right at the start:
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, unsigned int ncolors));
Heinrich you did the last security bump, please advise.
lesstiff 0.94 fixes all the Xpm thingies. A bump to that version will solve this bug.
lessitf-0.94.0 is now in portage
arches, pls test and mark stable...
current KEYWORDS="~x86 ~ppc ~sparc ~amd64 ~ppc64 ~hppa ~alpha ~ppc-macos"
target KEYWORDS="x86 ppc sparc amd64 ppc64 hppa ~alpha ppc-macos"
use lesstif-0.94.0.ebuild for now, -r1 is hardmasked to switch to virtual/motif later
stable on x86 and amd64
removing x86 too since lanius marked it..
stable on ppc64
Stable on ppc. Sorry for the delay.
hppa, ppc-macos: please mark stable to benefit from GLSA
Already stable on hppa