From: Siddharth Doshi Date: Mon, 16 Oct 2023 14:43:50 +0000 (+0530) Subject: libxpm: upgrade to 3.5.17 X-Git-Tag: 2020-04.29-dunfell~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47e270a4fd2e086b5ee9f38891f326ce505f2319;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git libxpm: upgrade to 3.5.17 - This upgrade includes multiple security fixes. CVE-2022-4883 CVE-2022-44617 CVE-2022-46285 CVE-2022-44617 CVE-2023-43788 CVE-2023-43789 - Removed CVE-2022-46285 as it is already fixed by this upgrade. - License-update: additional copyright holders f0857c0 man pages: Correct Copyright/License notices Due to this commit LIC_FILES_CHKSUM is changed - Disable reading compressed files as that requires compress/uncompress executables. Following the approach in oe-core/master: 7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15 - Add XORG_EXT to specify tar.xz as upstream has switched from bz2 to xz compression. Signed-off-by: Siddharth Doshi Signed-off-by: Steve Sakoman --- diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch deleted file mode 100644 index e8b654dfb2f..00000000000 --- a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch +++ /dev/null @@ -1,40 +0,0 @@ -CVE: CVE-2022-46285 -Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ] -Signed-off-by: Lee Chee Yang - -From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Sat, 17 Dec 2022 12:23:45 -0800 -Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments - -When reading XPM images from a file with libXpm 3.5.14 or older, if a -comment in the file is not closed (i.e. a C-style comment starts with -"/*" and is missing the closing "*/"), the ParseComment() function will -loop forever calling getc() to try to read the rest of the comment, -failing to notice that it has returned EOF, which may cause a denial of -service to the calling program. - -Reported-by: Marco Ivaldi -Signed-off-by: Alan Coopersmith ---- - src/data.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/data.c b/src/data.c -index 898889c..bfad4ff 100644 ---- a/src/data.c -+++ b/src/data.c -@@ -174,6 +174,10 @@ ParseComment(xpmData *data) - notend = 0; - Ungetc(data, *s, file); - } -+ else if (c == EOF) { -+ /* hit end of file before the end of the comment */ -+ return XpmFileInvalid; -+ } - } - return 0; - } --- -GitLab - diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb similarity index 68% rename from meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb rename to meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index 8937e61cb58..4694f911beb 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb @@ -11,19 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \ protocol." LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" +LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff" DEPENDS += "libxext libsm libxt gettext-native" PE = "1" XORG_PN = "libXpm" +XORG_EXT = "tar.xz" +EXTRA_OECONF += "--disable-open-zfile" PACKAGES =+ "sxpm cxpm" FILES_cxpm = "${bindir}/cxpm" FILES_sxpm = "${bindir}/sxpm" -SRC_URI += " file://CVE-2022-46285.patch" - -SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" -SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" +SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" BBCLASSEXTEND = "native"