Created attachment 245435 [details] patch for x11/libXpm X11 has published a security bulletin [1] that exposes the following CVEs in our x11/libXpm version 3.5.15: CVE-2023-43786: stack exhaustion in XPutImage CVE-2023-43787: integer overflow in XCreateImage CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer CVE-2023-43789: Out of bounds read on XPM with corrupted colormap See changelog for a full list of changes in the release [2]. The attached patch bumps the Makefile and distinfo. 1. https://lists.x.org/archives/xorg/2023-October/061506.html 2. https://gitlab.freedesktop.org/xorg/lib/libxpm/-/compare/libXpm-3.5.15...libXpm-3.5.17
A patch for vuxml is also needed.
Shared vuxml patch including both reports #274265 and #274266 has been uploaded to the latter ticket.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ed41e597ba262032dc9fcfc704bc6bf9d7dbff94 commit ed41e597ba262032dc9fcfc704bc6bf9d7dbff94 Author: Piotr Smyrak <piotr@smyrak.com> AuthorDate: 2023-10-12 14:44:42 +0000 Commit: Emmanuel Vadot <manu@FreeBSD.org> CommitDate: 2023-10-12 14:48:21 +0000 x11/libXpm: Update to 3.5.17 PR: 274265 x11/libXpm/Makefile | 2 +- x11/libXpm/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=89e3122c4fb321b7d8a32e31ad56abe93d9c3a11 commit 89e3122c4fb321b7d8a32e31ad56abe93d9c3a11 Author: Piotr Smyrak <piotr@smyrak.com> AuthorDate: 2023-10-12 14:44:42 +0000 Commit: Emmanuel Vadot <manu@FreeBSD.org> CommitDate: 2023-10-12 14:52:26 +0000 x11/libXpm: Update to 3.5.17 PR: 274265 (cherry picked from commit ed41e597ba262032dc9fcfc704bc6bf9d7dbff94) x11/libXpm/Makefile | 2 +- x11/libXpm/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-)