Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected], [email protected]
Control: affects -1 + src:libxpm
User: [email protected]
Usertags: pu
This fixes a low severity security issue in libxpm. Tests via debusine
look all good and the fix has been in testing for over five weeks now.
debdiff below.
Cheers,
Moritz
diff -u libxpm-3.5.17/debian/changelog libxpm-3.5.17/debian/changelog
--- libxpm-3.5.17/debian/changelog
+++ libxpm-3.5.17/debian/changelog
@@ -1,3 +1,9 @@
+libxpm (1:3.5.17-1+deb13u1) trixie; urgency=medium
+
+ * CVE-2026-4367 (Closes: #1134690)
+
+ -- Moritz Mühlenhoff <[email protected]> Mon, 08 Jun 2026 22:27:18 +0200
+
libxpm (1:3.5.17-1) unstable; urgency=high
[ Timo Aaltonen ]
only in patch2:
unchanged:
--- libxpm-3.5.17.orig/src/data.c
+++ libxpm-3.5.17/src/data.c
@@ -210,6 +210,9 @@
while ((c = *data->cptr++) && c != data->Bos && c != '\0')
if (data->Bcmt && c == data->Bcmt[0])
ParseComment(data);
+
+ if (c == '\0')
+ return XpmFileInvalid;
} else if (data->Bcmt) { /* XPM2 natural */
while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
ParseComment(data);
only in patch2:
unchanged:
--- libxpm-3.5.17.orig/src/parse.c
+++ libxpm-3.5.17/src/parse.c
@@ -221,7 +221,9 @@
if (!data->format) { /* XPM 2 or 3 */
for (a = 0, color = colorTable; a < ncolors; a++, color++) {
- xpmNextString(data); /* skip the line */
+ ErrorStatus = xpmNextString(data); /* skip the line */
+ if (ErrorStatus != XpmSuccess)
+ goto error;
/*
* read pixel value
@@ -319,7 +321,9 @@
/* get to the beginning of the first string */
data->Bos = '"';
data->Eos = '\0';
- xpmNextString(data);
+ ErrorStatus = xpmNextString(data);
+ if (ErrorStatus != XpmSuccess)
+ goto error;
data->Eos = '"';
for (a = 0, color = colorTable; a < ncolors; a++, color++) {
@@ -359,7 +363,9 @@
/*
* read color values
*/
- xpmNextString(data); /* get to the next string */
+ ErrorStatus = xpmNextString(data); /* get to the next string */
+ if (ErrorStatus != XpmSuccess)
+ goto error;
*curbuf = '\0'; /* init curbuf */
while ((l = xpmNextWord(data, buf, BUFSIZ))) {
if (*curbuf != '\0') {
@@ -383,8 +389,11 @@
memcpy(s, curbuf, len);
color->c_color = s;
*curbuf = '\0'; /* reset curbuf */
- if (a < ncolors - 1) /* can we trust ncolors -> leave data's
bounds */
- xpmNextString(data); /* get to the next string */
+ if (a < ncolors - 1) { /* can we trust ncolors -> leave data's
bounds */
+ ErrorStatus = xpmNextString(data); /* get to the next
string */
+ if (ErrorStatus != XpmSuccess)
+ goto error;
+ }
}
}
*colorTablePtr = colorTable;
