diff options
author | Siddharth Doshi <sdoshi@mvista.com> | 2023-10-16 20:13:50 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-10-20 05:35:30 -1000 |
commit | 1a3807e0ca4c3fe4f871aa51f963053766468b6c (patch) | |
tree | 9133b9c2442b9679b6389eb7dd6bf3daba8bfcb6 | |
parent | c7ddb9b19845a1d9b749896ea978fd72b7aa104b (diff) | |
download | poky-1a3807e0ca4c3fe4f871aa51f963053766468b6c.tar.gz |
libxpm: upgrade to 3.5.17
- This upgrade includes multiple security fixes.
CVE-2022-4883
CVE-2022-44617
CVE-2022-46285
CVE-2022-44617
CVE-2023-43788
CVE-2023-43789
- Removed CVE-2022-46285 as it is already fixed by this upgrade.
- License-update: additional copyright holders
f0857c0 man pages: Correct Copyright/License notices
Due to this commit LIC_FILES_CHKSUM is changed
- Disable reading compressed files as that requires compress/uncompress executables.
Following the approach in oe-core/master:
7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15
- Add XORG_EXT to specify tar.xz as upstream has switched from bz2 to xz compression.
(From OE-Core rev: 47e270a4fd2e086b5ee9f38891f326ce505f2319)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch | 40 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb (renamed from meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb) | 9 |
2 files changed, 4 insertions, 45 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch b/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch deleted file mode 100644 index e8b654dfb2..0000000000 --- a/meta/recipes-graphics/xorg-lib/libxpm/CVE-2022-46285.patch +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | CVE: CVE-2022-46285 | ||
2 | Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148 ] | ||
3 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
4 | |||
5 | From a3a7c6dcc3b629d765014816c566c63165c63ca8 Mon Sep 17 00:00:00 2001 | ||
6 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
7 | Date: Sat, 17 Dec 2022 12:23:45 -0800 | ||
8 | Subject: [PATCH] Fix CVE-2022-46285: Infinite loop on unclosed comments | ||
9 | |||
10 | When reading XPM images from a file with libXpm 3.5.14 or older, if a | ||
11 | comment in the file is not closed (i.e. a C-style comment starts with | ||
12 | "/*" and is missing the closing "*/"), the ParseComment() function will | ||
13 | loop forever calling getc() to try to read the rest of the comment, | ||
14 | failing to notice that it has returned EOF, which may cause a denial of | ||
15 | service to the calling program. | ||
16 | |||
17 | Reported-by: Marco Ivaldi <raptor@0xdeadbeef.info> | ||
18 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
19 | --- | ||
20 | src/data.c | 4 ++++ | ||
21 | 1 file changed, 4 insertions(+) | ||
22 | |||
23 | diff --git a/src/data.c b/src/data.c | ||
24 | index 898889c..bfad4ff 100644 | ||
25 | --- a/src/data.c | ||
26 | +++ b/src/data.c | ||
27 | @@ -174,6 +174,10 @@ ParseComment(xpmData *data) | ||
28 | notend = 0; | ||
29 | Ungetc(data, *s, file); | ||
30 | } | ||
31 | + else if (c == EOF) { | ||
32 | + /* hit end of file before the end of the comment */ | ||
33 | + return XpmFileInvalid; | ||
34 | + } | ||
35 | } | ||
36 | return 0; | ||
37 | } | ||
38 | -- | ||
39 | GitLab | ||
40 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb index 8937e61cb5..4694f911be 100644 --- a/meta/recipes-graphics/xorg-lib/libxpm_3.5.13.bb +++ b/meta/recipes-graphics/xorg-lib/libxpm_3.5.17.bb | |||
@@ -11,19 +11,18 @@ an extension of the monochrome XBM bitmap specificied in the X \ | |||
11 | protocol." | 11 | protocol." |
12 | 12 | ||
13 | LICENSE = "MIT" | 13 | LICENSE = "MIT" |
14 | LIC_FILES_CHKSUM = "file://COPYING;md5=51f4270b012ecd4ab1a164f5f4ed6cf7" | 14 | LIC_FILES_CHKSUM = "file://COPYING;md5=903942ebc9d807dfb68540f40bae5aff" |
15 | DEPENDS += "libxext libsm libxt gettext-native" | 15 | DEPENDS += "libxext libsm libxt gettext-native" |
16 | PE = "1" | 16 | PE = "1" |
17 | 17 | ||
18 | XORG_PN = "libXpm" | 18 | XORG_PN = "libXpm" |
19 | XORG_EXT = "tar.xz" | ||
20 | EXTRA_OECONF += "--disable-open-zfile" | ||
19 | 21 | ||
20 | PACKAGES =+ "sxpm cxpm" | 22 | PACKAGES =+ "sxpm cxpm" |
21 | FILES_cxpm = "${bindir}/cxpm" | 23 | FILES_cxpm = "${bindir}/cxpm" |
22 | FILES_sxpm = "${bindir}/sxpm" | 24 | FILES_sxpm = "${bindir}/sxpm" |
23 | 25 | ||
24 | SRC_URI += " file://CVE-2022-46285.patch" | 26 | SRC_URI[sha256sum] = "64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43" |
25 | |||
26 | SRC_URI[md5sum] = "6f0ecf8d103d528cfc803aa475137afa" | ||
27 | SRC_URI[sha256sum] = "9cd1da57588b6cb71450eff2273ef6b657537a9ac4d02d0014228845b935ac25" | ||
28 | 27 | ||
29 | BBCLASSEXTEND = "native" | 28 | BBCLASSEXTEND = "native" |