Bug 31502

Summary: motif new security issues in xpm parsing
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Christiaan Welvaart <cjw>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: motif-2.3.8-5.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-02-03 01:40:42 CET 
The recent libxpm update (Bug 31425) was for code shared with motif that dates way back.  Motif will need to be similarly patched, or patched to use libxpm, as was done for the Solaris platform:
https://www.openwall.com/lists/oss-security/2023/02/01/5
Comment 1 Marja Van Waes 2023-02-04 22:08:31 CET 
Assigning to our Motif maintainer

CC: (none) => marja11
Assignee: bugsquad => cjw

Comment 2 Christiaan Welvaart 2023-02-05 23:37:00 CET 
Fixed in cauldron by removing all this xpm code from motif. This unfortunately changes the binary interface of libxm.so.4. In Mageia, the change only affected mtink, which switched to using libxpm with a simple rebuild. Anyway, I don't have time to patch security issues in this xpm code in motif, or to keep the motif xpm interface but use libxpm internally.

No fix needed for MGA8?

Status: NEW => ASSIGNED

Comment 3 David Walser 2023-02-05 23:41:26 CET 
I guess I'll keep the bug open just in case I see another distro make a patch for it.

Version: Cauldron => 8

Comment 4 Nicolas Salguero 2024-01-12 10:37:11 CET 
Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: ASSIGNED => RESOLVED