[ANNOUNCE] libXpm 3.5.17

Alan Coopersmith alan.coopersmith at oracle.com
Tue Oct 3 16:29:27 UTC 2023 

libXpm - X Pixmap (XPM) image file format library
-------------------------------------------------

This release contains fixes for the issues reported in today's security
advisory: https://lists.x.org/archives/xorg-announce/2023-October/003424.html

Alan Coopersmith (10):
      Set close-on-exec when opening files
      test: use g_pattern_spec_match_string if available
      Explicitly mark non-static symbols as export or hidden
      Fix CVE-2023-43788: Out of bounds read in XpmCreateXpmImageFromBuffer
      test: Add test case for CVE-2023-43789 (corrupt colormap info)
      Fix CVE-2023-43789: Out of bounds read on XPM with corrupted colormap
      test: Add test case for CVE-2023-43786 (stack exhaustion in PutImage)
      Avoid CVE-2023-43786: stack exhaustion in XPutImage()
      test: Add test case for CVE-2023-43787 (integer overflow in XCreateImage)
      libXpm 3.5.17

Yair Mizrahi (1):
      Avoid CVE-2023-43787 (integer overflow in XCreateImage)

git tag: libXpm-3.5.17

https://xorg.freedesktop.org/archive/individual/lib/libXpm-3.5.17.tar.gz
SHA256: 959466c7dfcfcaa8a65055bfc311f74d4c43d9257900f85ab042604d286df0c6  libXpm-3.5.17.tar.gz
SHA512: 01d1b2dcbdd0c7927add19852ec1e68575d5957f043471b0aa6e2b3deb4df397e68a616e6d257ac5a38f60a836eacaae3dc0de5c4c312050673032edbc30f077  libXpm-3.5.17.tar.gz
PGP:  https://xorg.freedesktop.org/archive/individual/lib/libXpm-3.5.17.tar.gz.sig

https://xorg.freedesktop.org/archive/individual/lib/libXpm-3.5.17.tar.xz
SHA256: 64b31f81019e7d388c822b0b28af8d51c4622b83f1f0cb6fa3fc95e271226e43  libXpm-3.5.17.tar.xz
SHA512: 52f9d2664a47a26c1a6ad65d18867de870b66947b0b0d99cca3512756a0aaa6ce2a245c0b49f20b70c3ce48bf04c47c333e8119a147465c277bca727f6ab017e  libXpm-3.5.17.tar.xz
PGP:  https://xorg.freedesktop.org/archive/individual/lib/libXpm-3.5.17.tar.xz.sig

-- 
        -Alan Coopersmith-                 alan.coopersmith at oracle.com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.x.org/archives/xorg-announce/attachments/20231003/078f51df/attachment.sig>

More information about the xorg-announce mailing list