sync code with last improvements from OpenBSD

2023-10-26 22:50:19 +00:00 · 2023-10-26 22:50:19 +00:00 · 68fa196282
commit 68fa196282
parent e1ec829e63
30 changed files with 268 additions and 1060 deletions
--- a/lib/libXpm/ChangeLog
+++ b/lib/libXpm/ChangeLog
@ -1,3 +1,128 @@
+commit a154f12b6e56f131bd5880fc96f11615ff940b29
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Tue Oct 3 08:43:57 2023 -0700
+
+    libXpm 3.5.17
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 91f887b41bf75648df725a4ed3be036da02e911e
+Author: Yair Mizrahi <yairm@jfrog.com>
+Date:   Thu Sep 7 16:59:07 2023 -0700
+
+    Avoid CVE-2023-43787 (integer overflow in XCreateImage)
+    
+    This doesn't fix the CVE - that has to happen in libX11, this
+    just tries to avoid triggering it from libXpm, and saves time
+    in not pretending we can successfully create an X Image for
+    which the width * depth would overflow the signed int used to
+    store the bytes_per_line value.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 00348988396c88150f6ddfea3d3195cbf01d60c2
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Thu Sep 7 16:55:25 2023 -0700
+
+    test: Add test case for CVE-2023-43787 (integer overflow in XCreateImage)
+    
+    Provided by Yair Mizrahi of the JFrog Vulnerability Research team
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 84fb14574c039f19ad7face87eb9acc31a50701c
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Wed Sep 6 17:34:33 2023 -0700
+
+    Avoid CVE-2023-43786: stack exhaustion in XPutImage()
+    
+    This doesn't fix the CVE - that has to happen in libX11, this
+    just tries to avoid triggering it from libXpm, and saves time
+    in not pretending we can successfully create an X11 pixmap with
+    dimensions larger than the unsigned 16-bit integers used in the
+    X11 protocol for the dimensions.
+    
+    Reported by Yair Mizrahi of the JFrog Vulnerability Research team
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit edb97396620f019f8d2e707ad3fbaf6bbbd5ed36
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Tue Sep 5 17:01:58 2023 -0700
+
+    test: Add test case for CVE-2023-43786 (stack exhaustion in PutImage)
+    
+    Provided by Yair Mizrahi of the JFrog Vulnerability Research team
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat Apr 29 18:30:34 2023 -0700
+
+    Fix CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
+    
+    Found with clang's libfuzzer
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit a21e7bcf0ca3d8c1605b2721a545440260870438
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat Apr 29 18:29:29 2023 -0700
+
+    test: Add test case for CVE-2023-43789 (corrupt colormap info)
+    
+    Generated by clang's -fsanitize/libfuzzer
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 2fa554b01ef6079a9b35df9332bdc4f139ed67e0
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat Apr 29 17:50:39 2023 -0700
+
+    Fix CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
+    
+    When the test case for CVE-2022-46285 was run with the Address Sanitizer
+    enabled, it found an out-of-bounds read in ParseComment() when reading
+    from a memory buffer instead of a file, as it continued to look for the
+    closing comment marker past the end of the buffer.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 7f60f3428aa21d5d643eb75bfd9417cfabf48970
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Tue Sep 5 17:35:55 2023 -0700
+
+    Explicitly mark non-static symbols as export or hidden
+    
+    Hides private API from external linkage
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 2695ccda5df58af60ebb15bb17f1570437554adb
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat May 20 13:47:52 2023 -0700
+
+    test: use g_pattern_spec_match_string if available
+    
+    g_pattern_spec_match_string was introduced in glib 2.70 to replace
+    g_pattern_match_string which is deprecated in glib 2.70 and later.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 4524c578581b427145ae136844fc655a89e94777
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Mon Mar 27 18:35:46 2023 -0700
+
+    Set close-on-exec when opening files
+    
+    Relies on platforms with O_CLOEXEC support following POSIX requirement
+    to not copy the close-on-exec flag to the new fd in dup2(), but to leave
+    it unset instead, since that's how fd's are passed to child processes
+    to handled compressed files.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
 commit f131de92d6c4e2f62934e85b012287276ecf009c
 Author: Matt Turner <mattst88@gmail.com>
 Date:   Mon Apr 17 15:22:35 2023 -0400
@ -1666,6 +1791,9 @@ Date:   Tue Sep 21 17:57:35 2004 +0000
    Removed inclusion of unnecessary kernel header on Linux. This may fail in
        an -ansi environment.

+Notes:
+    Fixes CVE-2004-0687 (integer overflows) and CVE-2004-0688 (stack overflows)
+
 commit 2773a7214e282f6f673483f5233b880505947c3f
 Author: Egbert Eich <eich@suse.de>
 Date:   Fri Apr 23 18:42:32 2004 +0000