Re: [XMakemol-bugs] Problem with SuSE security fix

[Matt Hodges]

>>>>> Andre Janz writes:

 > I just had problems creating .xpm-files with xmakemol (versions
 > 5.10 through 5.13). The created .xpm-files are zero length and
 > xmakemol gives the error 'Cannot open <filename> for write'. The
 > problem occured both on SuSE 9.0 and 9.1. I traced the problem to a
 > new version of libXpm.so which was installed by the automatic
 > update process. See eg.
 > http://www.securitytracker.com/alerts/2004/Nov/1012255.html

Thanks for the reference.

 > For the moment I fixed this by installing the previous version of
 > libXpm.so (XFree86-libs-4.3.0.1-55.i586.rpm for SuSE 9.0 and
 > XFree86-libs-4.3.99.902-43.31.i586.rpm for SuSE 9.1.) and disabling
 > the automatic update. Could you investigate to see if the problem
 > lies in xmakemol or in the security 'fix'?

It's difficult for me to try and fix a problem I don't have; the
Debian XPM packages don't appear to have these security fixes included
yet.

In terms of security, XMakemol never reads in XPM files (the logo is
constructed from data distributed with the source, and this is
compiled into the executable). If you're worried about this
vulnerability in other programs, you could link XMakemol statically
against the version of libXpm that you know works, then upgrade.

Looking at the XPM code, the messages that you see must mean that
XpmWriteFileFromPixmap is returning XpmOpenFailed. I don't know why
this might be, but I'm not ruling out the possibility that there could
be a bug in XMakemol that has been asymptomatic until now.

I will investigate further. Thanks for the report,

Matt