Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83655 - x11-libs/openmotif: new XPM lib vulnerability (CAN-2005-0605)
Summary: x11-libs/openmotif: new XPM lib vulnerability (CAN-2005-0605)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugs.freedesktop.org/show_bug...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-01 03:02 UTC by Thierry Carrez (RETIRED)
Modified: 2021-11-03 10:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 03:02:47 UTC 
With an unsigned i a buffer overflow will occur in loops
like for( i-- >= 0) { copy something }.

Original Patch can be found on bug 83598, though it might require adaptation.
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2005-03-01 04:37:34 UTC 
*** Bug 83656 has been marked as a duplicate of this bug. ***
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 08:44:59 UTC 
Patch for lesstif (http://bugs.gentoo.org/attachment.cgi?id=52465&action=view) applies to 2.2.3 and 2.1.30 :

$ cd openMotif-2.2.3/lib/Xm
$ patch -p3 < ~/lesstif-CAN-2005-0605.patch
patching file Xpmscan.c
Hunk #1 succeeded at 594 (offset -78 lines).
Hunk #2 succeeded at 606 (offset -78 lines).
patching file Xpmcreate.c
Hunk #1 succeeded at 1171 (offset -94 lines).

$ cd motif/lib/Xm
$ patch -p3 < ~/lesstif-CAN-2005-0605.patch
patching file Xpmscan.c
Hunk #1 succeeded at 589 (offset -83 lines).
Hunk #2 succeeded at 601 (offset -83 lines).
patching file Xpmcreate.c
Hunk #1 succeeded at 1166 (offset -99 lines).
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2005-03-02 09:00:26 UTC 
applied in openmotif-2.2.3-r3 and openmotif-2.1.30-r9, please test these (not openmotif-2.2.3-r4 and openmotif-2.1.30-r10!!!!!)
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 09:24:47 UTC 
Arches, please test and mark stable openmotif-2.2.3-r3 and openmotif-2.1.30-r9 (and not the revision above).
Comment 5 Heinrich Wendel (RETIRED) gentoo-dev 2005-03-02 09:29:10 UTC 
done for amd64/x86
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-03-02 11:42:21 UTC 
stable on ppc64
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-02 14:11:55 UTC 
Stable on ppc.
Comment 8 Lina Pezzella (RETIRED) gentoo-dev 2005-03-02 15:59:00 UTC 
Stable ppc-macos.
Comment 9 Jason Wever (RETIRED) gentoo-dev 2005-03-02 19:56:21 UTC 
Stable on SPARC.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-03 11:49:36 UTC 
Stable on alpha.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-03-04 06:23:41 UTC 
GLSA 200503-08
arm hppa ia64 mips: please mark stable to benefit from GLSA
Comment 12 Hardave Riar (RETIRED) gentoo-dev 2005-03-13 17:09:25 UTC 
Stable on mips.
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:07:30 UTC 
Already stable on hppa