automatic import of libXpmopeneuler24.03_LTS

1 files changed, 144 insertions, 0 deletions

diff --git a/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch b/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
new file mode 100644
index 0000000..7ba81de
--- /dev/null
+++ b/0005-Fix-CVE-2022-4883-compression-commands-depend-on-PAT.patch
@@ -0,0 +1,144 @@
+From cdbc3fa8edc5b42391a5f2bfe1a8f6099929acf7 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Jan 2023 12:50:48 -0800
+Subject: [PATCH libXpm 5/6] Fix CVE-2022-4883: compression commands depend on
+ $PATH
+
+By default, on all platforms except MinGW, libXpm will detect if a
+filename ends in .Z or .gz, and will when reading such a file fork off
+an uncompress or gunzip command to read from via a pipe, and when
+writing such a file will fork off a compress or gzip command to write
+to via a pipe.
+
+In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
+to find the commands.  If libXpm is called from a program running with
+raised privileges, such as via setuid, then a malicious user could set
+$PATH to include programs of their choosing to be run with those
+privileges.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ README.md    | 12 ++++++++++++
+ configure.ac | 14 ++++++++++++++
+ src/RdFToI.c | 17 ++++++++++++++---
+ src/WrFFrI.c |  4 ++--
+ 4 files changed, 42 insertions(+), 5 deletions(-)
+
+diff --git a/README.md b/README.md
+index f3f4c93..0b1c886 100644
+--- a/README.md
++++ b/README.md
+@@ -31,3 +31,15 @@ if it can't find the file it was asked to open.  It relies on the
+ --enable-open-zfile feature to open the file, and is enabled by default
+ when --enable-open-zfile is enabled, and can be disabled by passing the
+ --disable-stat-zfile flag to the configure script.
++
++All of these commands will be executed with whatever userid & privileges the
++function is called with, relying on the caller to ensure the correct euid,
++egid, etc. are set before calling.
++
++To reduce risk, the paths to these commands are now set at configure time to
++the first version found in the PATH used to run configure, and do not depend
++on the PATH environment variable set at runtime.
++
++To specify paths to be used for these commands instead of searching $PATH, pass
++the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
++variables to the configure command.
+diff --git a/configure.ac b/configure.ac
+index 85e2c73..4fc370d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then
+ fi
+ AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes")
+ 
++dnl Helper macro to find absolute path to program and add a #define for it
++AC_DEFUN([XPM_PATH_PROG],[
++AC_PATH_PROG([$1], [$2], [])
++AS_IF([test "x$$1" = "x"],
++      [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])])
++AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2])
++]) dnl End of AC_DEFUN([XPM_PATH_PROG]...
++
+ # Optional feature: When a filename ending in .Z or .gz is requested,
+ # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to
+ # handle it.
+@@ -64,6 +72,12 @@ AC_ARG_ENABLE(open-zfile,
+ AC_MSG_RESULT([$OPEN_ZFILE])
+ if test x$OPEN_ZFILE = xno ; then
+         AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes])
++else
++        XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress])
++        XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress])
++        XPM_PATH_PROG([XPM_PATH_GZIP], [gzip])
++        XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip])
++        AC_CHECK_FUNCS([closefrom close_range], [break])
+ fi
+ 
+ # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
+diff --git a/src/RdFToI.c b/src/RdFToI.c
+index bd09611..a91d337 100644
+--- a/src/RdFToI.c
++++ b/src/RdFToI.c
+@@ -43,6 +43,7 @@
+ #include <errno.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <unistd.h>
+ #else
+ #ifdef FOR_MSW
+ #include <fcntl.h>
+@@ -161,7 +162,17 @@ xpmPipeThrough(
+ 	    goto err;
+ 	if ( 0 == pid )
+ 	{
+-	    execlp(cmd, cmd, arg1, (char *)NULL);
++#ifdef HAVE_CLOSEFROM
++	    closefrom(3);
++#elif defined(HAVE_CLOSE_RANGE)
++# ifdef CLOSE_RANGE_UNSHARE
++#  define close_range_flags CLOSE_RANGE_UNSHARE
++# else
++#  define close_range_flags 0
++#endif
++	    close_range(3, ~0U, close_range_flags);
++#endif
++	    execl(cmd, cmd, arg1, (char *)NULL);
+ 	    perror(cmd);
+ 	    goto err;
+ 	}
+@@ -235,12 +246,12 @@ OpenReadFile(
+ 	if ( ext && !strcmp(ext, ".Z") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, "uncompress", "-c", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_UNCOMPRESS, "-c", "r");
+ 	}
+ 	else if ( ext && !strcmp(ext, ".gz") )
+ 	{
+ 	    mdata->type = XPMPIPE;
+-	    mdata->stream.file = xpmPipeThrough(fd, "gunzip", "-qc", "r");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r");
+ 	}
+ 	else
+ #endif /* z-files */
+diff --git a/src/WrFFrI.c b/src/WrFFrI.c
+index 328c987..d59098f 100644
+--- a/src/WrFFrI.c
++++ b/src/WrFFrI.c
+@@ -342,10 +342,10 @@ OpenWriteFile(
+ #ifndef NO_ZPIPE
+ 	len = strlen(filename);
+ 	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
+-	    mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w");
+ 	    mdata->type = XPMPIPE;
+ 	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
+-	    mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w");
++	    mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w");
+ 	    mdata->type = XPMPIPE;
+ 	} else
+ #endif
+-- 
+2.39.0
+