Debian Bug report logs -
#308819
openmotif: affected by vulnerabilities in libxpm
Reported by: Matej Vela <vela@debian.org>
Date: Thu, 12 May 2005 15:18:07 UTC
Severity: grave
Tags: patch, security
Found in versions 2.1.30-5, 2.2.3-1
Fixed in version openmotif/2.2.3-1.1
Done: Joey Hess <joeyh@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#308819; Package openmotif.
(full text, mbox, link).
Acknowledgement sent to Matej Vela <vela@debian.org>:
New Bug report received and forwarded. Copy sent to Gerd Knorr <kraxel@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openmotif
Version: 2.1.30-5, 2.2.3-1
Severity: grave
Tags: security
OpenMotif includes an outdated copy of the Xpm library with a number of
vulnerabilities: CAN-2004-0687, CAN-2004-0688, CAN-2004-0914, and
CAN-2005-0605.
(Note that the patches supplied by X.Org contain several regressions
(#286164, #308783). Hopefully, Debian's xfree86 package will have a
definitive patch soon.)
Thanks,
Matej
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#308819; Package openmotif.
(full text, mbox, link).
Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>.
(full text, mbox, link).
Message #10 received at 308819@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, May 12, 2005 at 05:12:46PM +0200, Matej Vela wrote:
> OpenMotif includes an outdated copy of the Xpm library with a number of
> vulnerabilities: CAN-2004-0687, CAN-2004-0688, CAN-2004-0914, and
> CAN-2005-0605.
I investigated this a bit and it seems that upstream only has made
fixes available for the first two CANs yet. For reference I attached
the output of a cvs diff between 2.2.3 and 2.2.4 of the affected files
(AFAICT)
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
[xpmvuln.openmotif.patch (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#308819; Package openmotif.
(full text, mbox, link).
Acknowledgement sent to Kenshi Muto <kmuto@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>.
(full text, mbox, link).
Message #15 received at 308819@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
tags + patch
thanks
Hi,
> > OpenMotif includes an outdated copy of the Xpm library with a number of
> > vulnerabilities: CAN-2004-0687, CAN-2004-0688, CAN-2004-0914, and
> > CAN-2005-0605.
> I investigated this a bit and it seems that upstream only has made
> fixes available for the first two CANs yet. For reference I attached
> the output of a cvs diff between 2.2.3 and 2.2.4 of the affected files
> (AFAICT)
I created a patch for missing two piece and modified djpig's patch to
suit Debian package.
All of them are taken from XFree86 CVS diff.
For test, ida and mwm looks still work correctly (although mwm misses
system.mwmrc by incorrect original rules).
Thanks,
- --
Kenshi Muto
kmuto@debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iEYEARECAAYFAkKZVT8ACgkQQKW+7XLQPLEXOwCg2AdJv3l9HC8lyUmeUH6qvh7E
xgMAoKxc5s5GoiTF97KQLihpvxDCs+br
=6F/p
-----END PGP SIGNATURE-----
[xpm.patch.tar.gz (application/octet-stream, attachment)]
Tags added: patch
Request was from Kenshi Muto <kmuto@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Message sent on to Matej Vela <vela@debian.org>:
Bug#308819.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#308819; Package openmotif.
(full text, mbox, link).
Acknowledgement sent to Kenshi Muto <kmuto@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>.
(full text, mbox, link).
Message #25 received at 308819@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is final patch, taken from Debian xfree86 svn repository.
Thanks,
- --
Kenshi Muto
kmuto@debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iEYEARECAAYFAkKav8wACgkQQKW+7XLQPLEt/wCgodskl96XyQb+mU2LIyRHssgp
7X4An0Bzk+E9OOZhvG575h1DaI7T51fz
=uUbm
-----END PGP SIGNATURE-----
[xpmvuln.openmotif.patch.gz (application/octet-stream, attachment)]
Tags added: fixed
Request was from Kenshi Muto <kmuto@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Gerd Knorr <kraxel@debian.org>:
Bug#308819; Package openmotif.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Gerd Knorr <kraxel@debian.org>.
(full text, mbox, link).
Message #32 received at 308819@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 308819 = patch security woody sarge etch
thanks
Although an NMU was uploaded for this bug, because openmotif is in non-free
there were no autobuilds for the package and so it was not updated in time
for release. This bug still exists in sarge and etch, and possibly in woody
as well.
--
Steve Langasek
postmodern programmer
[signature.asc (application/pgp-signature, inline)]
Tags set to: patch, security, woody, sarge, etch
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: etch
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: sarge
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags removed: woody
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 2.2.3-1.1, send any further explanations to Matej Vela <vela@debian.org>
Request was from Joey Hess <joeyh@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 19:09:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Aug 14 22:48:58 2018;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.