With an unsigned i a buffer overflow will occur in loops like for( i-- >= 0) { copy something }.
Created attachment 52321 [details, diff] xpm-sec10.diff
Yeah, I know. =\ Have you checked whether that patch applies cleanly to our stuff?
No, I haven't checked and don't think koon has either.
Patch applies cleanly to 6.8.0 with : $ cd xc/extras/Xpm/lib/ $ patch -p0 < ~/xpm-sec10.diff patching file scan.c patching file create.c
Donnie: what's your timeframe on this ? I would like to know if I let the OpenMotif/LessTif advisories out or (if you're close) wait for Xorg to be ready and issue one for all...
I can do it this weekend, hopefully tomorrow sometime, but not today.
6.8.0-r5 and 6.8.2-r1 are in portage with the fix. Arches that need to stable 6.8.2-r1: ppc ppc64 Arches that need to stable 6.8.0-r5 or (at their option) 6.8.2-r1 instead: everyone else -- x86 sparc alpha amd64 hppa arm mips ia64 The 6.7.0 series is not going to be fixed and will be pulled from portage, as will 6.8.0-r{3,4}, once the above is stable.
Arches, please mark stable, following comment #7
6.8.2-r1 is stable on ppc.
stable on ppc64
Stable on amd64.
Stable on alpha.
mips good
x86, sparc, amd64 please mark stable.
woops, sorry kugelfang.
6.8.2-r1 is stable for sparc.
Stabled 6.8.0-r5 on x86.
GLSA 200503-15 arm/hppa/ia64, please mark stable to benefit from GLSA.
Already stable on hppa