31502 – motif new security issues in xpm parsing

Bug 31502 - motif new security issues in xpm parsing

Summary: motif new security issues in xpm parsing

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Christiaan Welvaart
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-02-03 01:40 CET by David Walser
Modified:	2024-01-12 10:37 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	motif-2.3.8-5.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-03 01:40:42 CET

The recent libxpm update (Bug 31425) was for code shared with motif that dates way back.  Motif will need to be similarly patched, or patched to use libxpm, as was done for the Solaris platform:
https://www.openwall.com/lists/oss-security/2023/02/01/5

Comment 1 Marja Van Waes 2023-02-04 22:08:31 CET

Assigning to our Motif maintainer

CC: (none) => marja11
Assignee: bugsquad => cjw

Comment 2 Christiaan Welvaart 2023-02-05 23:37:00 CET

Fixed in cauldron by removing all this xpm code from motif. This unfortunately changes the binary interface of libxm.so.4. In Mageia, the change only affected mtink, which switched to using libxpm with a simple rebuild. Anyway, I don't have time to patch security issues in this xpm code in motif, or to keep the motif xpm interface but use libxpm internally.

No fix needed for MGA8?

Status: NEW => ASSIGNED

Comment 3 David Walser 2023-02-05 23:41:26 CET

I guess I'll keep the bug open just in case I see another distro make a patch for it.

Version: Cauldron => 8

Comment 4 Nicolas Salguero 2024-01-12 10:37:11 CET

Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.