Date: Mon, 27 Apr 2026 21:21:31 +0000 From: Kousuke Kannagi <mce@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 4ede684840cd - main - security/vuxml: Add libXpm vulnerability Message-ID: <69efd35b.3d841.2aa6b01e@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by mce: URL: https://cgit.FreeBSD.org/ports/commit/?id=4ede684840cdf6bb152ae298db9780375ebc5345 commit 4ede684840cdf6bb152ae298db9780375ebc5345 Author: Kousuke Kannagi <mce@FreeBSD.org> AuthorDate: 2026-04-27 12:11:28 +0000 Commit: Kousuke Kannagi <mce@FreeBSD.org> CommitDate: 2026-04-27 21:20:46 +0000 security/vuxml: Add libXpm vulnerability PR: 293154 Approved by: osa (mentor) --- security/vuxml/vuln/2026.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index 65f32d2be87c..ce757517f870 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,39 @@ + <vuln vid="dea605e6-41c9-11f1-8455-901b0e13f1a0"> + <topic>libXpm -- Out-of-bounds read in xpmNextWord()</topic> + <affects> + <package> + <name>libXpm</name> + <range><lt>3.5.19</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The X.Org project reports:</p> + <blockquote cite="https://lists.x.org/archives/xorg-announce/2026-April/003690.html">; + <p> + libXpm uses a number of internal helper functions to parse the XPM + file format. + One of these internal functions, xpmNextString(), checks for the + NULL terminator when looking for the end of the current string but + not when looking for the beginning of the next string. + A small XPM file with a malformed color table definition may cause + the function xpmNextWord(), called from xpmParseColors() following + a call to xpmNextString(), to start past the actual end of the file, + causing an out-of-bound read. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-4367</cvename> + <url>https://lists.x.org/archives/xorg-announce/2026-April/003690.html</url>; + </references> + <dates> + <discovery>2026-04-21</discovery> + <entry>2026-04-27</entry> + </dates> + </vuln> + <vuln vid="88440f1d-4168-11f1-95f7-00a098b42aeb"> <topic>(lib)expat -- Insufficient entropy</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69efd35b.3d841.2aa6b01e>