libxpm: fix CVE-2022-46285

(From OE-Core rev: bd594af20fce07908f8e0fb1765b0e0ccc641e86) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2023-09-06 10:21:15 +0800
committer: Steve Sakoman <steve@sakoman.com> 2023-10-04 05:17:50 -1000
commit: fe546dca3f86d7fb3f721889dfb941538407df39 (patch)
tree: cd24594a30d497e36b8be08e2171e25458ccca06
parent: 00722bacdd6f2817ccfb3617706b817c4a931941 (diff)
download: poky-fe546dca3f86d7fb3f721889dfb941538407df39.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
new file mode 100644
index 0000000000..e8b654dfb2
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
@@ -0,0 +1,40 @@
+CVE: CVE-2022-46285
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 17 Dec 2022 12:23:45 -0800
+Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments
+When reading XPM images from a file with libXpm 3.5.14 or older, if a
+comment in the file is not closed (i.e. a C-style comment starts with
+"/*" and is missing the closing "*/"), the ParseComment() function will
+loop forever calling getc() to try to read the rest of the comment,
+failing to notice that it has returned EOF, which may cause a denial of
+service to the calling program.
+Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/data.c b/src/data.c
+index 898889c..bfad4ff 100644
+--- a/src/data.c
+++ b/src/data.c
+@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
+                notend = 0;
+                Ungetc(data, *s, file);
+            }
+           else if (c == EOF) {
+               /* hit end of file before the end of the comment */
+               return XpmFileInvalid;
+           }
+        }
+        return 0;
+     }
+-- 
+GitLab
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
index fda8e32d2c..8937e61cb5 100644
--- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
+++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
@@ -21,6 +21,8 @@ PACKAGES =+ "sxpm cxpm"
 FILES_cxpm = "${bindir}/cxpm"
 FILES_sxpm = "${bindir}/sxpm"
+SRC_URI += " file://CVE-2022-46285.patch"
 SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa"
 SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2023-09-06 10:21:15 +0800
committer	Steve Sakoman <steve@sakoman.com>	2023-10-04 05:17:50 -1000
commit	fe546dca3f86d7fb3f721889dfb941538407df39 (patch)
tree	cd24594a30d497e36b8be08e2171e25458ccca06
parent	00722bacdd6f2817ccfb3617706b817c4a931941 (diff)
download	poky-fe546dca3f86d7fb3f721889dfb941538407df39.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch new file mode 100644 index 0000000000..e8b654dfb2 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch
@@ -0,0 +1,40 @@
		1	CVE: CVE-2022-46285
		2	Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ]
		3	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		4
		5	From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001
		6	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		7	Date: Sat, 17 Dec 2022 12:23:45 -0800
		8	Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments
		9
		10	When reading XPM images from a file with libXpm 3.5.14 or older, if a
		11	comment in the file is not closed (i.e. a C-style comment starts with
		12	"/" and is missing the closing "/"), the ParseComment() function will
		13	loop forever calling getc() to try to read the rest of the comment,
		14	failing to notice that it has returned EOF, which may cause a denial of
		15	service to the calling program.
		16
		17	Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info>
		18	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		19	---
		20	src/data.c \| 4 ++++
		21	1 file changed, 4 insertions(+)
		22
		23	diff --git a/src/data.c b/src/data.c
		24	index 898889c..bfad4ff 100644
		25	--- a/src/data.c
		26	+++ b/src/data.c
		27	@@ -174,6 +174,10 @@ ParseComment(xpmData *data)
		28	notend = 0;
		29	Ungetc(data, *s, file);
		30	}
		31	+ else if (c == EOF) {
		32	+ /* hit end of file before the end of the comment */
		33	+ return XpmFileInvalid;
		34	+ }
		35	}
		36	return 0;
		37	}
		38	--
		39	GitLab
		40


diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb index fda8e32d2c..8937e61cb5 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb
@@ -21,6 +21,8 @@ PACKAGES =+ "sxpm cxpm"
21	FILES_cxpm = "${bindir}/cxpm"	21	FILES_cxpm = "${bindir}/cxpm"
22	FILES_sxpm = "${bindir}/sxpm"	22	FILES_sxpm = "${bindir}/sxpm"
23		23
		24	SRC_URI += " file://CVE-2022-46285.patch"
		25
24	SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa"	26	SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa"
25	SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"	27	SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25"
26		28