Fix several issues in libXpm :

CVE-2022-46285: Infinite loop on unclosed comments
CVE-2022-44617: Runaway loop on width of 0 and enormous height
CVE-2022-4883: compression commands depend on $PATH

1 files changed, 215 insertions, 17 deletions

diff --git a/lib/libXpm/configure b/lib/libXpm/configure
index facc84e4a..55cede5f7 100644
--- a/lib/libXpm/configure
+++ b/lib/libXpm/configure
@@ -637,6 +637,10 @@ ac_subst_vars='am__EXEEXT_FALSE
 am__EXEEXT_TRUE
 LTLIBOBJS
 LIBOBJS
+XPM_PATH_GUNZIP
+XPM_PATH_GZIP
+XPM_PATH_UNCOMPRESS
+XPM_PATH_COMPRESS
 USE_GETTEXT_FALSE
 USE_GETTEXT_TRUE
 LOCALEDIR
@@ -800,7 +804,6 @@ enable_selective_werror
 enable_strict_compilation
 enable_silent_rules
 with_localedir
-enable_stat_zfile
 '
       ac_precious_vars='build_alias
 host_alias
@@ -1467,8 +1470,6 @@ Optional Features:
                           errors (default: disabled)
   --enable-silent-rules   less verbose build output (undo: "make V=1")
   --disable-silent-rules  verbose build output (undo: "make V=0")
-  --enable-stat-zfile     Search for files with .Z & .gz extensions
-                          automatically [default=yes]
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -17890,30 +17891,227 @@ else
 fi
 
 
-# Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz
-# Replaces ZFILEDEF = -DSTAT_ZFILE in old Imakefile
-# Check whether --enable-stat-zfile was given.
-if test "${enable_stat_zfile+set}" = set; then :
-  enableval=$enable_stat_zfile; STAT_ZFILE=$enableval
+
+case $host_os in
+        *mingw*)
+
+$as_echo "#define NO_ZPIPE 1" >>confdefs.h
+
+        ;;
+        *)
+
+# Extract the first word of "compress", so it can be a program name with args.
+set dummy compress; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_XPM_PATH_COMPRESS+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $XPM_PATH_COMPRESS in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XPM_PATH_COMPRESS="$XPM_PATH_COMPRESS" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_XPM_PATH_COMPRESS="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+XPM_PATH_COMPRESS=$ac_cv_path_XPM_PATH_COMPRESS
+if test -n "$XPM_PATH_COMPRESS"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XPM_PATH_COMPRESS" >&5
+$as_echo "$XPM_PATH_COMPRESS" >&6; }
 else
-  STAT_ZFILE=yes
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+if test "x$XPM_PATH_COMPRESS" = "x"; then :
+  as_fn_error $? "compress not found, set XPM_PATH_COMPRESS or use --disable-stat-zfile" "$LINENO" 5
 fi
 
-if test x$STAT_ZFILE = xyes ; then
+cat >>confdefs.h <<_ACEOF
+#define XPM_PATH_COMPRESS "$XPM_PATH_COMPRESS"
+_ACEOF
+
 
-$as_echo "#define STAT_ZFILE 1" >>confdefs.h
 
+# Extract the first word of "uncompress", so it can be a program name with args.
+set dummy uncompress; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_XPM_PATH_UNCOMPRESS+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $XPM_PATH_UNCOMPRESS in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XPM_PATH_UNCOMPRESS="$XPM_PATH_UNCOMPRESS" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_XPM_PATH_UNCOMPRESS="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+XPM_PATH_UNCOMPRESS=$ac_cv_path_XPM_PATH_UNCOMPRESS
+if test -n "$XPM_PATH_UNCOMPRESS"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XPM_PATH_UNCOMPRESS" >&5
+$as_echo "$XPM_PATH_UNCOMPRESS" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
 fi
 
 
-case $host_os in
-	*mingw*)
+if test "x$XPM_PATH_UNCOMPRESS" = "x"; then :
+  as_fn_error $? "uncompress not found, set XPM_PATH_UNCOMPRESS or use --disable-stat-zfile" "$LINENO" 5
+fi
 
-$as_echo "#define NO_ZPIPE 1" >>confdefs.h
+cat >>confdefs.h <<_ACEOF
+#define XPM_PATH_UNCOMPRESS "$XPM_PATH_UNCOMPRESS"
+_ACEOF
 
-	;;
-	*)
-	;;
+
+
+# Extract the first word of "gzip", so it can be a program name with args.
+set dummy gzip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_XPM_PATH_GZIP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $XPM_PATH_GZIP in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XPM_PATH_GZIP="$XPM_PATH_GZIP" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_XPM_PATH_GZIP="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+XPM_PATH_GZIP=$ac_cv_path_XPM_PATH_GZIP
+if test -n "$XPM_PATH_GZIP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XPM_PATH_GZIP" >&5
+$as_echo "$XPM_PATH_GZIP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+if test "x$XPM_PATH_GZIP" = "x"; then :
+  as_fn_error $? "gzip not found, set XPM_PATH_GZIP or use --disable-stat-zfile" "$LINENO" 5
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define XPM_PATH_GZIP "$XPM_PATH_GZIP"
+_ACEOF
+
+
+
+# Extract the first word of "gunzip", so it can be a program name with args.
+set dummy gunzip; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_XPM_PATH_GUNZIP+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $XPM_PATH_GUNZIP in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_XPM_PATH_GUNZIP="$XPM_PATH_GUNZIP" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_XPM_PATH_GUNZIP="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  ;;
+esac
+fi
+XPM_PATH_GUNZIP=$ac_cv_path_XPM_PATH_GUNZIP
+if test -n "$XPM_PATH_GUNZIP"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XPM_PATH_GUNZIP" >&5
+$as_echo "$XPM_PATH_GUNZIP" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+if test "x$XPM_PATH_GUNZIP" = "x"; then :
+  as_fn_error $? "gunzip not found, set XPM_PATH_GUNZIP or use --disable-stat-zfile" "$LINENO" 5
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define XPM_PATH_GUNZIP "$XPM_PATH_GUNZIP"
+_ACEOF
+
+
+                for ac_func in closefrom close_range
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+ break
+fi
+done
+
+        ;;
 esac
 
 ac_config_files="$ac_config_files Makefile doc/Makefile include/Makefile man/Makefile src/Makefile sxpm/Makefile cxpm/Makefile xpm.pc"