Bug 274265

Summary: x11/libXpm: update vulnerable port to 3.5.17
Product: Ports & Packages Reporter: Piotr Smyrak <ps.ports>
Component: Individual Port(s)Assignee: freebsd-x11 (Nobody) <x11>
Status: Closed FIXED    
Severity: Affects Many People CC: manu
Priority: --- Flags: bugzilla: maintainer-feedback? (x11)
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://lists.x.org/archives/xorg/2023-October/061507.html
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274266
Attachments:
Description Flags
patch for x11/libXpm none

Description Piotr Smyrak 2023-10-04 14:50:27 UTC 
Created attachment 245435 [details]
patch for x11/libXpm

X11 has published a security bulletin [1] that exposes the following CVEs in our x11/libXpm version 3.5.15:

CVE-2023-43786: stack exhaustion in XPutImage
CVE-2023-43787: integer overflow in XCreateImage
CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
CVE-2023-43789: Out of bounds read on XPM with corrupted colormap

See changelog for a full list of changes in the release [2].

The attached patch bumps the Makefile and distinfo.

1. https://lists.x.org/archives/xorg/2023-October/061506.html
2. https://gitlab.freedesktop.org/xorg/lib/libxpm/-/compare/libXpm-3.5.15...libXpm-3.5.17
Comment 1 Emmanuel Vadot freebsd_committer freebsd_triage 2023-10-04 15:24:30 UTC 
A patch for vuxml is also needed.
Comment 2 Piotr Smyrak 2023-10-04 17:31:42 UTC 
Shared vuxml patch including both reports #274265 and #274266 has been uploaded to the latter ticket.
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-10-12 14:52:14 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ed41e597ba262032dc9fcfc704bc6bf9d7dbff94

commit ed41e597ba262032dc9fcfc704bc6bf9d7dbff94
Author:     Piotr Smyrak <piotr@smyrak.com>
AuthorDate: 2023-10-12 14:44:42 +0000
Commit:     Emmanuel Vadot <manu@FreeBSD.org>
CommitDate: 2023-10-12 14:48:21 +0000

    x11/libXpm: Update to 3.5.17

    PR:     274265

 x11/libXpm/Makefile | 2 +-
 x11/libXpm/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-10-12 14:53:19 UTC 
A commit in branch 2023Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=89e3122c4fb321b7d8a32e31ad56abe93d9c3a11

commit 89e3122c4fb321b7d8a32e31ad56abe93d9c3a11
Author:     Piotr Smyrak <piotr@smyrak.com>
AuthorDate: 2023-10-12 14:44:42 +0000
Commit:     Emmanuel Vadot <manu@FreeBSD.org>
CommitDate: 2023-10-12 14:52:26 +0000

    x11/libXpm: Update to 3.5.17

    PR:     274265
    (cherry picked from commit ed41e597ba262032dc9fcfc704bc6bf9d7dbff94)

 x11/libXpm/Makefile | 2 +-
 x11/libXpm/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)