| Summary: | libxpm new security issues CVE-2022-4883, CVE-2022-44617, and CVE-2022-46285 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | libxpm-3.5.13-2.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2023-01-18 00:55:30 CET
Ubuntu has issued an advisory for this on January 17: https://ubuntu.com/security/notices/USN-5807-1 (In reply to David Walser from comment #0) > The issues are fixed upstream in 3.5.15: > Cauldron has been updated. Thanks David. For Mageia 8 assigning globally, no packager in sight for this SRPM. Assignee:
bugsquad =>
pkg-bugs Fedora has issued an advisory for this on January 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BJ2J3EVQMPPSES6ILLTGGH5XVLNDMCRP/ Status comment:
(none) =>
Fixed upstream in 3.5.15
David Walser
2023-01-23 22:21:59 CET
Severity:
normal =>
critical Suggested advisory: ======================== The updated packages fix security vulnerabilities: libXpm incorrectly handled calling external helper binaries. If libXpm was being used by a setuid binary, a local attacker could possibly use this issue to escalate privileges. (CVE-2022-4883) libXpm incorrectly handled certain XPM files. If a user or automated system were tricked into opening a specially crafted XPM file, a remote attacker could possibly use this issue to cause libXpm to stop responding, resulting in a denial of service. (CVE-2022-44617, CVE-2022-46285) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46285 https://lists.x.org/archives/xorg-announce/2023-January/003312.html https://lists.x.org/archives/xorg-announce/2023-January/003313.html https://ubuntu.com/security/notices/USN-5807-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BJ2J3EVQMPPSES6ILLTGGH5XVLNDMCRP/ ======================== Updated packages in core/updates_testing: ======================== lib(64)xpm4-3.5.15-1.mga8 lib(64)xpm-devel-3.5.15-1.mga8 from SRPM: libxpm-3.5.15-1.mga8.src.rpm Assignee:
pkg-bugs =>
qa-bugs Tested in a MGA8-64 Plasma VirtualBox guest. There were no installation issues.
libXpm is used to handle image files in the XPM format. I looked on the Internet for some sample files, and found them surprisingly difficult to find. But I did find one, an image of a teapot.
So I decided to create them from a couple of my own images, using ImageMagick:
$ convert Airborne.jpg Airborne.xpm
$ convert OneidaGlow.jpg OneidaGlow.xpm
and
$ convert teapot.xpm teapot.png
Using the "display" command showed all conversions to be successful.
urpmq --whatrequires didn't show ImageMagick as requiring lib64xpm4, but it did show that Gimp requires it. So, I loaded each image, in turn, converted and original, into Gimp, and it displayed each with no issues. All images looked very nearly identical to the originals.
This looks OK to me. Validating. Advisory in Comment 4.Keywords:
(none) =>
validated_update
Dave Hodgins
2023-02-06 20:46:57 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0031.html Status:
ASSIGNED =>
RESOLVED |