[Bug 274265] x11/libXpm: update vulnerable port to 3.5.17

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 04 Oct 2023 14:50:27 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274265

            Bug ID: 274265
           Summary: x11/libXpm: update vulnerable port to 3.5.17
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://lists.x.org/archives/xorg/2023-October/061507.
                    html
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: x11@FreeBSD.org
          Reporter: ps.ports@smyrak.com
          Assignee: x11@FreeBSD.org
                CC:
             Flags: maintainer-feedback?(x11@FreeBSD.org)

Created attachment 245435
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=245435&action=edit
patch for x11/libXpm

X11 has published a security bulletin [1] that exposes the following CVEs in
our x11/libXpm version 3.5.15:

CVE-2023-43786: stack exhaustion in XPutImage
CVE-2023-43787: integer overflow in XCreateImage
CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
CVE-2023-43789: Out of bounds read on XPM with corrupted colormap

See changelog for a full list of changes in the release [2].

The attached patch bumps the Makefile and distinfo.

1. https://lists.x.org/archives/xorg/2023-October/061506.html
2.
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/compare/libXpm-3.5.15...libXpm-3.5.17

-- 
You are receiving this mail because:
You are the assignee for the bug.