diff --git a/SOURCES/0001-configure-add-disable-open-zfile-instead-of-requirin.patch b/SOURCES/0001-configure-add-disable-open-zfile-instead-of-requirin.patch new file mode 100644 index 0000000..998b37b --- /dev/null +++ b/SOURCES/0001-configure-add-disable-open-zfile-instead-of-requirin.patch @@ -0,0 +1,96 @@ +From 8b2a6a423c1f9544126cafd051d690174675f3a8 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Thu, 5 Jan 2023 15:42:36 -0800 +Subject: [PATCH libXpm 1/3] configure: add --disable-open-zfile instead of + requiring -DNO_ZPIPE + +Documents the two compression options in the README, makes their +configure options reflect the interdependency of their implementation, +and makes the configure script report their configuration. + +Signed-off-by: Alan Coopersmith +(cherry picked from commit 4841039e5385f264d12757903894f47c64f59361) +--- + README | 15 +++++++++++++++ + configure.ac | 36 +++++++++++++++++++++++------------- + 2 files changed, 38 insertions(+), 13 deletions(-) + +diff --git a/README b/README +index 9d14a39..f532bef 100644 +--- a/README ++++ b/README +@@ -23,3 +23,18 @@ For more information on the git code manager, see: + + http://wiki.x.org/wiki/GitPage + ++------------------------------------------------------------------------------ ++ ++libXpm supports two optional features to handle compressed pixmap files. ++ ++--enable-open-zfile makes libXpm recognize file names ending in .Z and .gz ++and open a pipe to the appropriate command to compress the file when writing ++and uncompress the file when reading. This is enabled by default on platforms ++other than MinGW and can be disabled by passing the --disable-open-zfile flag ++to the configure script. ++ ++--enable-stat-zfile make libXpm search for a file name with .Z or .gz added ++if it can't find the file it was asked to open. It relies on the ++--enable-open-zfile feature to open the file, and is enabled by default ++when --enable-open-zfile is enabled, and can be disabled by passing the ++--disable-stat-zfile flag to the configure script. +diff --git a/configure.ac b/configure.ac +index 2feb9ff..4a8d6de 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -48,25 +48,35 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++# Optional feature: When a filename ending in .Z or .gz is requested, ++# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# handle it. ++AC_MSG_CHECKING([whether to handle compressed pixmaps]) ++case $host_os in ++ *mingw*) zpipe_default="no" ;; ++ *) zpipe_default="yes" ;; ++esac ++AC_ARG_ENABLE(open-zfile, ++ AS_HELP_STRING([--enable-open-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [OPEN_ZFILE=$enableval], [OPEN_ZFILE=yes]) ++AC_MSG_RESULT([$OPEN_ZFILE]) ++if test x$OPEN_ZFILE = xno ; then ++ AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++fi ++ + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz + # Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile ++AC_MSG_CHECKING([whether to search for compressed pixmaps]) + AC_ARG_ENABLE(stat-zfile, +- AS_HELP_STRING([--enable-stat-zfile], +- [Search for files with .Z & .gz extensions automatically @<:@default=yes@:>@]), +- [STAT_ZFILE=$enableval], [STAT_ZFILE=yes]) ++ AS_HELP_STRING([--enable-stat-zfile], ++ [Search for files with .Z & .gz extensions automatically @<:@default=auto@:>@]), ++ [STAT_ZFILE=$enableval], [STAT_ZFILE=$OPEN_ZFILE]) ++AC_MSG_RESULT([$STAT_ZFILE]) + if test x$STAT_ZFILE = xyes ; then +- AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) ++ AC_DEFINE(STAT_ZFILE, 1, [Define to 1 to automatically look for files with .Z & .gz extensions]) + fi + +- +-case $host_os in +- *mingw*) +- AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +- ;; +- *) +- ;; +-esac +- + AC_CONFIG_FILES([Makefile + doc/Makefile + include/Makefile +-- +2.39.0 + diff --git a/SOURCES/0002-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch b/SOURCES/0002-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch new file mode 100644 index 0000000..8cc1d05 --- /dev/null +++ b/SOURCES/0002-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch @@ -0,0 +1,145 @@ +From c9fff891469c24da54c3337044cc177428242f9a Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Fri, 6 Jan 2023 12:50:48 -0800 +Subject: [PATCH libXpm 2/3] Fix CVE-2022-4883: compression commands depend on + $PATH + +By default, on all platforms except MinGW, libXpm will detect if a +filename ends in .Z or .gz, and will when reading such a file fork off +an uncompress or gunzip command to read from via a pipe, and when +writing such a file will fork off a compress or gzip command to write +to via a pipe. + +In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH +to find the commands. If libXpm is called from a program running with +raised privileges, such as via setuid, then a malicious user could set +$PATH to include programs of their choosing to be run with those +privileges. + +Signed-off-by: Alan Coopersmith +(cherry picked from commit 515294bb8023a45ff916696d0a14308ff4f3a376) +--- + README | 12 ++++++++++++ + configure.ac | 14 ++++++++++++++ + src/RdFToI.c | 17 ++++++++++++++--- + src/WrFFrI.c | 4 ++-- + 4 files changed, 42 insertions(+), 5 deletions(-) + +diff --git a/README b/README +index f532bef..c7d6dbf 100644 +--- a/README ++++ b/README +@@ -38,3 +38,15 @@ if it can't find the file it was asked to open. It relies on the + --enable-open-zfile feature to open the file, and is enabled by default + when --enable-open-zfile is enabled, and can be disabled by passing the + --disable-stat-zfile flag to the configure script. ++ ++All of these commands will be executed with whatever userid & privileges the ++function is called with, relying on the caller to ensure the correct euid, ++egid, etc. are set before calling. ++ ++To reduce risk, the paths to these commands are now set at configure time to ++the first version found in the PATH used to run configure, and do not depend ++on the PATH environment variable set at runtime. ++ ++To specify paths to be used for these commands instead of searching $PATH, pass ++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP ++variables to the configure command. +diff --git a/configure.ac b/configure.ac +index 4a8d6de..c1da348 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -48,6 +48,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then + fi + AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") + ++dnl Helper macro to find absolute path to program and add a #define for it ++AC_DEFUN([XPM_PATH_PROG],[ ++AC_PATH_PROG([$1], [$2], []) ++AS_IF([test "x$$1" = "x"], ++ [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])]) ++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) ++]) dnl End of AC_DEFUN([XPM_PATH_PROG]... ++ + # Optional feature: When a filename ending in .Z or .gz is requested, + # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to + # handle it. +@@ -63,6 +71,12 @@ AC_ARG_ENABLE(open-zfile, + AC_MSG_RESULT([$OPEN_ZFILE]) + if test x$OPEN_ZFILE = xno ; then + AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) ++else ++ XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) ++ XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) ++ XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) ++ XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) ++ AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + + # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz +diff --git a/src/RdFToI.c b/src/RdFToI.c +index bd09611..a91d337 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + #else + #ifdef FOR_MSW + #include +@@ -161,7 +162,17 @@ xpmPipeThrough( + goto err; + if ( 0 == pid ) + { +- execlp(cmd, cmd, arg1, (char *)NULL); ++#ifdef HAVE_CLOSEFROM ++ closefrom(3); ++#elif defined(HAVE_CLOSE_RANGE) ++# ifdef CLOSE_RANGE_UNSHARE ++# define close_range_flags CLOSE_RANGE_UNSHARE ++# else ++# define close_range_flags 0 ++#endif ++ close_range(3, ~0U, close_range_flags); ++#endif ++ execl(cmd, cmd, arg1, (char *)NULL); + perror(cmd); + goto err; + } +@@ -235,12 +246,12 @@ OpenReadFile( + if ( ext && !strcmp(ext, ".Z") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r"); + } + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); + } + else + #endif /* z-files */ +diff --git a/src/WrFFrI.c b/src/WrFFrI.c +index 067c96b..bc38f66 100644 +--- a/src/WrFFrI.c ++++ b/src/WrFFrI.c +@@ -336,10 +336,10 @@ OpenWriteFile( + #ifndef NO_ZPIPE + len = strlen(filename); + if (len > 2 && !strcmp(".Z", filename + (len - 2))) { +- mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); + mdata->type = XPMPIPE; + } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { +- mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); + mdata->type = XPMPIPE; + } else + #endif +-- +2.39.0 + diff --git a/SOURCES/0003-Use-gzip-d-instead-of-gunzip.patch b/SOURCES/0003-Use-gzip-d-instead-of-gunzip.patch new file mode 100644 index 0000000..fc93719 --- /dev/null +++ b/SOURCES/0003-Use-gzip-d-instead-of-gunzip.patch @@ -0,0 +1,70 @@ +From 2065cf056f47c95bda237d8d700d9d24a893716d Mon Sep 17 00:00:00 2001 +From: Peter Hutterer +Date: Mon, 16 Jan 2023 19:44:52 +1000 +Subject: [PATCH libXpm 3/3] Use gzip -d instead of gunzip + +GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call +/usr/bin/gunzip with the correct built-in path, the actual gzip call +will use whichever gzip it finds first, making our patch pointless. + +Fix this by explicitly calling gzip -d instead. + +https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in + +[Part of the fix for CVE-2022-4883] +Signed-off-by: Peter Hutterer +(cherry picked from commit 8178eb0834d82242e1edbc7d4fb0d1b397569c68) +--- + README | 2 +- + configure.ac | 3 +-- + src/RdFToI.c | 2 +- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/README b/README +index c7d6dbf..d4c7212 100644 +--- a/README ++++ b/README +@@ -48,5 +48,5 @@ the first version found in the PATH used to run configure, and do not depend + on the PATH environment variable set at runtime. + + To specify paths to be used for these commands instead of searching $PATH, pass +-the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP ++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, and XPM_PATH_GZIP + variables to the configure command. +diff --git a/configure.ac b/configure.ac +index c1da348..74d9856 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -57,7 +57,7 @@ AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) + ]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + + # Optional feature: When a filename ending in .Z or .gz is requested, +-# open a pipe to a newly forked compress/uncompress/gzip/gunzip command to ++# open a pipe to a newly forked compress/uncompress/gzip command to + # handle it. + AC_MSG_CHECKING([whether to handle compressed pixmaps]) + case $host_os in +@@ -75,7 +75,6 @@ else + XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) +- XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) + fi + +diff --git a/src/RdFToI.c b/src/RdFToI.c +index a91d337..141c485 100644 +--- a/src/RdFToI.c ++++ b/src/RdFToI.c +@@ -251,7 +251,7 @@ OpenReadFile( + else if ( ext && !strcmp(ext, ".gz") ) + { + mdata->type = XPMPIPE; +- mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); ++ mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); + } + else + #endif /* z-files */ +-- +2.39.0 + diff --git a/SPECS/libXpm.spec b/SPECS/libXpm.spec index 0c646e7..f36790b 100644 --- a/SPECS/libXpm.spec +++ b/SPECS/libXpm.spec @@ -1,17 +1,23 @@ Summary: X.Org X11 libXpm runtime library Name: libXpm Version: 3.5.12 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Group: System Environment/Libraries URL: http://www.x.org Source0: ftp://ftp.x.org/pub/individual/lib/%{name}-%{version}.tar.bz2 +# CVE-2022-4883: compression commands depend on $PATH +Patch0001: 0001-configure-add-disable-open-zfile-instead-of-requirin.patch +Patch0002: 0002-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch +Patch0003: 0003-Use-gzip-d-instead-of-gunzip.patch + BuildRequires: xorg-x11-util-macros BuildRequires: autoconf automake libtool BuildRequires: gettext BuildRequires: pkgconfig(xext) pkgconfig(xt) pkgconfig(xau) +BuildRequires: ncompress gzip %description X.Org X11 libXpm runtime library @@ -26,6 +32,9 @@ X.Org X11 libXpm development package %prep %setup -q +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 %build autoreconf -v --install --force @@ -64,6 +73,9 @@ rm -rf $RPM_BUILD_ROOT #%{_mandir}/man1/*.1x* %changelog +* Thu Jan 19 2023 Peter Hutterer - 3.5.12-2 +- Fix CVE-2022-4883: compression commands depends on $PATH (#2161715) + * Mon Jan 23 2017 Benjamin Tissoires 3.5.12-1 - libXpm 3.5.12