Fix CVE-2023-43788, CVE-2023-43789

2023-10-07 13:55:16 +08:00 · 2023-10-07 13:55:16 +08:00 · 61a77ff4b8
commit 61a77ff4b8
parent 2f920920ac
5 changed files with 395 additions and 1 deletions
--- a/backport-CVE-2023-43786.patch
+++ b/backport-CVE-2023-43786.patch
@ -0,0 +1,283 @@
+From 84fb14574c039f19ad7face87eb9acc31a50701c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 6 Sep 2023 17:34:33 -0700
+Subject: [PATCH] Avoid CVE-2023-43786: stack exhaustion in XPutImage()
+
+This doesn't fix the CVE - that has to happen in libX11, this
+just tries to avoid triggering it from libXpm, and saves time
+in not pretending we can successfully create an X11 pixmap with
+dimensions larger than the unsigned 16-bit integers used in the
+X11 protocol for the dimensions.
+
+Reported by Yair Mizrahi of the JFrog Vulnerability Research team
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/CrPFrBuf.c | 28 +++++++++++++++++++++++-----
+ src/CrPFrDat.c | 31 +++++++++++++++++++++++--------
+ src/CrPFrI.c   | 10 +++++++++-
+ src/RdFToP.c   | 28 +++++++++++++++++++++++-----
+ src/XpmI.h     |  2 +-
+ src/create.c   | 28 +++++++++++++++++++++++-----
+ 6 files changed, 102 insertions(+), 25 deletions(-)
+
+diff --git a/src/CrPFrBuf.c b/src/CrPFrBuf.c
+index 2c28a41..e9e2243 100644
+--- a/src/CrPFrBuf.c
+++ b/src/CrPFrBuf.c
+@@ -46,7 +46,7 @@ XpmCreatePixmapFromBuffer(
+     Pixmap		*shapemask_return,
+     XpmAttributes	*attributes)
+ {
+-    XImage *ximage, *shapeimage;
+    XImage *ximage = NULL, *shapeimage = NULL;
+     int ErrorStatus;
+ 
+     /* initialize return values */
+@@ -63,16 +63,34 @@ XpmCreatePixmapFromBuffer(
+ 					   attributes);
+ 
+     if (ErrorStatus < 0)		/* fatal error */
+-	return (ErrorStatus);
+	goto cleanup;
+ 
+     /* create the pixmaps and destroy images */
+     if (pixmap_return && ximage) {
+-	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+-	XDestroyImage(ximage);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+	if (ErrorStatus < 0)		/* fatal error */
+	    goto cleanup;
+     }
+     if (shapemask_return && shapeimage) {
+-	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+    }
+
+  cleanup:
+    if (ximage != NULL)
+	XDestroyImage(ximage);
+    if (shapeimage != NULL)
+ 	XDestroyImage(shapeimage);
+    if (ErrorStatus < 0) {
+	if (pixmap_return && *pixmap_return) {
+	    XFreePixmap(display, *pixmap_return);
+	    *pixmap_return = 0;
+	}
+	if (shapemask_return && *shapemask_return) {
+	    XFreePixmap(display, *shapemask_return);
+	    *shapemask_return = 0;
+	}
+     }
+     return (ErrorStatus);
+ }
+diff --git a/src/CrPFrDat.c b/src/CrPFrDat.c
+index b65771d..8622663 100644
+--- a/src/CrPFrDat.c
+++ b/src/CrPFrDat.c
+@@ -46,7 +46,7 @@ XpmCreatePixmapFromData(
+     Pixmap		 *shapemask_return,
+     XpmAttributes	 *attributes)
+ {
+-    XImage *ximage, *shapeimage;
+    XImage *ximage = NULL, *shapeimage = NULL;
+     int ErrorStatus;
+ 
+     /* initialize return values */
+@@ -63,19 +63,34 @@ XpmCreatePixmapFromData(
+ 					 attributes);
+ 
+     if (ErrorStatus != XpmSuccess)
+-	return (ErrorStatus);
+-
+-    if (ErrorStatus < 0)		/* fatal error */
+-	return (ErrorStatus);
+	goto cleanup;
+ 
+     /* create the pixmaps and destroy images */
+     if (pixmap_return && ximage) {
+-	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+-	XDestroyImage(ximage);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+	if (ErrorStatus < 0)		/* fatal error */
+	    goto cleanup;
+     }
+     if (shapemask_return && shapeimage) {
+-	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+    }
+
+  cleanup:
+    if (ximage != NULL)
+	XDestroyImage(ximage);
+    if (shapeimage != NULL)
+ 	XDestroyImage(shapeimage);
+    if (ErrorStatus < 0) {
+	if (pixmap_return && *pixmap_return) {
+	    XFreePixmap(display, *pixmap_return);
+	    *pixmap_return = 0;
+	}
+	if (shapemask_return && *shapemask_return) {
+	    XFreePixmap(display, *shapemask_return);
+	    *shapemask_return = 0;
+	}
+     }
+     return (ErrorStatus);
+ }
+diff --git a/src/CrPFrI.c b/src/CrPFrI.c
+index 8f6f4aa..f6688c5 100644
+--- a/src/CrPFrI.c
+++ b/src/CrPFrI.c
+@@ -36,8 +36,9 @@
+ #include <config.h>
+ #endif
+ #include "XpmI.h"
+#include <stdint.h>
+ 
+-void
+int
+ xpmCreatePixmapFromImage(
+     Display	*display,
+     Drawable	 d,
+@@ -47,6 +48,11 @@ xpmCreatePixmapFromImage(
+     GC gc;
+     XGCValues values;
+ 
+    /* X Pixmaps are limited to unsigned 16-bit height/width */
+    if ((ximage->width > UINT16_MAX) || (ximage->height > UINT16_MAX)) {
+	return XpmNoMemory;
+    }
+
+     *pixmap_return = XCreatePixmap(display, d, ximage->width,
+ 				   ximage->height, ximage->depth);
+     /* set fg and bg in case we have an XYBitmap */
+@@ -59,4 +65,6 @@ xpmCreatePixmapFromImage(
+ 	      ximage->width, ximage->height);
+ 
+     XFreeGC(display, gc);
+
+    return XpmSuccess;
+ }
+diff --git a/src/RdFToP.c b/src/RdFToP.c
+index f829757..2c3e7f9 100644
+--- a/src/RdFToP.c
+++ b/src/RdFToP.c
+@@ -46,7 +46,7 @@ XpmReadFileToPixmap(
+     Pixmap		*shapemask_return,
+     XpmAttributes	*attributes)
+ {
+-    XImage *ximage, *shapeimage;
+    XImage *ximage = NULL, *shapeimage = NULL;
+     int ErrorStatus;
+ 
+     /* initialize return values */
+@@ -62,16 +62,34 @@ XpmReadFileToPixmap(
+ 				     attributes);
+ 
+     if (ErrorStatus < 0)		/* fatal error */
+-	return (ErrorStatus);
+	goto cleanup;
+ 
+     /* create the pixmaps and destroy images */
+     if (pixmap_return && ximage) {
+-	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+-	XDestroyImage(ximage);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+	if (ErrorStatus < 0)		/* fatal error */
+	    goto cleanup;
+     }
+     if (shapemask_return && shapeimage) {
+-	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+    }
+
+  cleanup:
+    if (ximage != NULL)
+	XDestroyImage(ximage);
+    if (shapeimage != NULL)
+ 	XDestroyImage(shapeimage);
+    if (ErrorStatus < 0) {
+	if (pixmap_return && *pixmap_return) {
+	    XFreePixmap(display, *pixmap_return);
+	    *pixmap_return = 0;
+	}
+	if (shapemask_return && *shapemask_return) {
+	    XFreePixmap(display, *shapemask_return);
+	    *shapemask_return = 0;
+	}
+     }
+     return (ErrorStatus);
+ }
+diff --git a/src/create.c b/src/create.c
+index 4921c7d..ec562b2 100644
+--- a/src/create.c
+++ b/src/create.c
+@@ -1652,7 +1652,7 @@ XpmCreatePixmapFromXpmImage(
+     Pixmap		*shapemask_return,
+     XpmAttributes	*attributes)
+ {
+-    XImage *ximage, *shapeimage;
+    XImage *ximage = NULL, *shapeimage = NULL;
+     int ErrorStatus;
+ 
+     /* initialize return values */
+@@ -1668,16 +1668,34 @@ XpmCreatePixmapFromXpmImage(
+ 					      &shapeimage : NULL),
+ 					     attributes);
+     if (ErrorStatus < 0)
+-	return (ErrorStatus);
+	goto cleanup;
+ 
+     /* create the pixmaps and destroy images */
+     if (pixmap_return && ximage) {
+-	xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+-	XDestroyImage(ximage);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, ximage, pixmap_return);
+	if (ErrorStatus < 0)		/* fatal error */
+	    goto cleanup;
+     }
+     if (shapemask_return && shapeimage) {
+-	xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+	ErrorStatus =
+	    xpmCreatePixmapFromImage(display, d, shapeimage, shapemask_return);
+    }
+
+  cleanup:
+    if (ximage != NULL)
+	XDestroyImage(ximage);
+    if (shapeimage != NULL)
+ 	XDestroyImage(shapeimage);
+    if (ErrorStatus < 0) {
+	if (pixmap_return && *pixmap_return) {
+	    XFreePixmap(display, *pixmap_return);
+	    *pixmap_return = 0;
+	}
+	if (shapemask_return && *shapemask_return) {
+	    XFreePixmap(display, *shapemask_return);
+	    *shapemask_return = 0;
+	}
+     }
+     return (ErrorStatus);
+ }
+diff --git a/src/XpmI.h b/src/XpmI.h
+index ab7a680..6691693 100644
+--- a/src/XpmI.h
+++ b/src/XpmI.h
+@@ -188,7 +188,7 @@
+ 			      XpmInfo *info));
+ 
+ #if !defined(FOR_MSW) && !defined(AMIGA)
+-FUNC(xpmCreatePixmapFromImage, void, (Display *display, Drawable d,
+FUNC(xpmCreatePixmapFromImage, int, (Display *display, Drawable d,
+ 				      XImage *ximage, Pixmap *pixmap_return));
+ 
+ FUNC(xpmCreateImageFromPixmap, void, (Display *display, Pixmap pixmap,
+-- 
+GitLab
--- a/backport-CVE-2023-43787.patch
+++ b/backport-CVE-2023-43787.patch
@ -0,0 +1,35 @@
+From 91f887b41bf75648df725a4ed3be036da02e911e Mon Sep 17 00:00:00 2001
+From: Yair Mizrahi <yairm@jfrog.com>
+Date: Thu, 7 Sep 2023 16:59:07 -0700
+Subject: [PATCH] Avoid CVE-2023-43787 (integer overflow in XCreateImage)
+
+This doesn't fix the CVE - that has to happen in libX11, this
+just tries to avoid triggering it from libXpm, and saves time
+in not pretending we can successfully create an X Image for
+which the width * depth would overflow the signed int used to
+store the bytes_per_line value.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/create.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/create.c b/src/create.c
+index ec562b2..b8c80d2 100644
+--- a/src/create.c
+++ b/src/create.c
+@@ -997,6 +997,11 @@ CreateXImage(
+ 	*image_return = NULL;
+ 	return XpmNoMemory;
+     }
+    if (width != 0 && (*image_return)->bits_per_pixel >= INT_MAX / width) {
+	XDestroyImage(*image_return);
+	*image_return = NULL;
+	return XpmNoMemory;
+    }
+     /* now that bytes_per_line must have been set properly alloc data */
+     if((*image_return)->bytes_per_line == 0 ||  height == 0) {
+ 	XDestroyImage(*image_return);
+-- 
+GitLab
+
--- a/backport-CVE-2023-43788.patch
+++ b/backport-CVE-2023-43788.patch
@ -0,0 +1,32 @@
+From 2fa554b01ef6079a9b35df9332bdc4f139ed67e0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 17:50:39 -0700
+Subject: [PATCH] Fix CVE-2023-43788: Out of bounds read in
+ XpmCreateXpmImageFromBuffer
+
+When the test case for CVE-2022-46285 was run with the Address Sanitizer
+enabled, it found an out-of-bounds read in ParseComment() when reading
+from a memory buffer instead of a file, as it continued to look for the
+closing comment marker past the end of the buffer.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/data.c b/src/data.c
+index 7524e65..0b0f1f3 100644
+--- a/src/data.c
+++ b/src/data.c
+@@ -108,7 +108,7 @@ ParseComment(xpmData *data)
+ 		n++;
+ 		s2++;
+ 	    } while (c == *s2 && *s2 != '\0' && c);
+-	    if (*s2 == '\0') {
+	    if (*s2 == '\0' || c == '\0') {
+ 		/* this is the end of the comment */
+ 		notend = 0;
+ 		data->cptr--;
+-- 
+GitLab
+
--- a/backport-CVE-2023-43789.patch
+++ b/backport-CVE-2023-43789.patch
@ -0,0 +1,36 @@
+From 7e21cb63b9a1ca760a06cc4cd9b19bbc3fcd8f51 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 29 Apr 2023 18:30:34 -0700
+Subject: [PATCH] Fix CVE-2023-43789: Out of bounds read on XPM with corrupted
+ colormap
+
+Found with clang's libfuzzer
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/data.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/data.c b/src/data.c
+index 0b0f1f3..6e87455 100644
+--- a/src/data.c
+++ b/src/data.c
+@@ -259,13 +259,13 @@ xpmNextWord(
+     int c;
+ 
+     if (!data->type || data->type == XPMBUFFER) {
+-	while (isspace(c = *data->cptr) && c != data->Eos)
+	while ((c = *data->cptr) && isspace(c) && (c != data->Eos))
+ 	    data->cptr++;
+ 	do {
+ 	    c = *data->cptr++;
+ 	    *buf++ = c;
+ 	    n++;
+-	} while (!isspace(c) && c != data->Eos && n < buflen);
+	} while (c && !isspace(c) && (c != data->Eos) && (n < buflen));
+ 	n--;
+ 	data->cptr--;
+     } else {
+-- 
+GitLab
+
--- a/libXpm.spec
+++ b/libXpm.spec
@ -1,6 +1,6 @@
 Name:           libXpm
 Version:        3.5.13
-Release:        4
+Release:        5
 License:        MIT
 Summary:        X.Org X11 libXpm runtime library
 URL:            https://www.x.org
@ -12,6 +12,10 @@ Patch6002:      backport-CVE-2022-46285.patch
 Patch6003:      backport-0001-CVE-2022-4883.patch
 Patch6004:      backport-0002-CVE-2022-4883.patch
 Patch6005:      backport-0003-CVE-2022-4883.patch
+Patch6006:	backport-CVE-2023-43786.patch
+Patch6007:	backport-CVE-2023-43787.patch
+Patch6008:	backport-CVE-2023-43788.patch
+Patch6009:	backport-CVE-2023-43789.patch

 BuildRequires:  xorg-x11-util-macros autoconf automake libtool
 BuildRequires:  gettext libXau-devel libXext-devel libXt-devel
@ -63,6 +67,10 @@ autoreconf -ivf
 %{_mandir}/man1/*.1*

 %changelog
+* Wed Oct 04 2023 Funda Wang <fundawang@yeah.net> - 3.5.13-5
+- Add patches harden CVE-2023-43786, CVE-2023-43787
+- Fix CVE-2023-43788, CVE-2023-43789
+
 * Wed Feb 01 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 3.5.13-4
 - fix CVE-2022-44617,CVE-2022-46285,CVE-2022-4883