Package: lesstif1-1
Severity: grave
Tags: security, patch
Justification: user security hole
Quoting from a recent Gentoo security advisory:
> Chris Gilbert discovered potentially exploitable buffer overflow cases
> in libXpm that weren't fixed in previous libXpm security advisories.
This has been assigned CAN-2005-0605, Woody should be affected as
well.
The attached patch has been taken from Gentoo bugtracking, as the
lesstif CVS doesn't have a commit yet. Judging from the source I assume
that this fixes only lesstif2, but not lesstif1, am I correct?
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- lesstif-0.94.0/lib/Xm-2.1/Xpmscan.c.orig 2005-03-02 17:00:16.415070960 +0100
+++ lesstif-0.94.0/lib/Xm-2.1/Xpmscan.c 2005-03-02 17:01:38.949709879 +0100
@@ -672,8 +672,8 @@
char *dst;
unsigned int *iptr;
char *data;
- unsigned int x, y, i;
- int bits, depth, ibu, ibpp, offset;
+ unsigned int x, y;
+ int bits, depth, ibu, ibpp, offset, i;
unsigned long lbt;
Pixel pixel, px;
@@ -684,6 +684,9 @@
ibpp = image->bits_per_pixel;
offset = image->xoffset;
+ if (image->bitmap_unit < 0)
+ return (XpmNoMemory);
+
if ((image->bits_per_pixel | image->depth) == 1) {
ibu = image->bitmap_unit;
for (y = 0; y < height; y++)
--- lesstif-0.94.0/lib/Xm-2.1/Xpmcreate.c.orig 2005-03-02 17:02:00.626412844 +0100
+++ lesstif-0.94.0/lib/Xm-2.1/Xpmcreate.c 2005-03-02 17:02:35.183562480 +0100
@@ -1265,10 +1265,10 @@
register char *src;
register char *dst;
register unsigned int *iptr;
- register unsigned int x, y, i;
+ register unsigned int x, y;
register char *data;
Pixel pixel, px;
- int nbytes, depth, ibu, ibpp;
+ int nbytes, depth, ibu, ibpp, i;
data = image->data;
iptr = pixelindex;
