X.org has issued an advisory today (January 17): https://lists.x.org/archives/xorg-announce/2023-January/003312.html The issues are fixed upstream in 3.5.15: https://lists.x.org/archives/xorg-announce/2023-January/003313.html Cauldron has been updated.
Ubuntu has issued an advisory for this on January 17: https://ubuntu.com/security/notices/USN-5807-1
(In reply to David Walser from comment #0) > The issues are fixed upstream in 3.5.15: > Cauldron has been updated. Thanks David. For Mageia 8 assigning globally, no packager in sight for this SRPM.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on January 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BJ2J3EVQMPPSES6ILLTGGH5XVLNDMCRP/
Status comment: (none) => Fixed upstream in 3.5.15
Severity: normal => critical
Suggested advisory: ======================== The updated packages fix security vulnerabilities: libXpm incorrectly handled calling external helper binaries. If libXpm was being used by a setuid binary, a local attacker could possibly use this issue to escalate privileges. (CVE-2022-4883) libXpm incorrectly handled certain XPM files. If a user or automated system were tricked into opening a specially crafted XPM file, a remote attacker could possibly use this issue to cause libXpm to stop responding, resulting in a denial of service. (CVE-2022-44617, CVE-2022-46285) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46285 https://lists.x.org/archives/xorg-announce/2023-January/003312.html https://lists.x.org/archives/xorg-announce/2023-January/003313.html https://ubuntu.com/security/notices/USN-5807-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BJ2J3EVQMPPSES6ILLTGGH5XVLNDMCRP/ ======================== Updated packages in core/updates_testing: ======================== lib(64)xpm4-3.5.15-1.mga8 lib(64)xpm-devel-3.5.15-1.mga8 from SRPM: libxpm-3.5.15-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 3.5.15 => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
Tested in a MGA8-64 Plasma VirtualBox guest. There were no installation issues. libXpm is used to handle image files in the XPM format. I looked on the Internet for some sample files, and found them surprisingly difficult to find. But I did find one, an image of a teapot. So I decided to create them from a couple of my own images, using ImageMagick: $ convert Airborne.jpg Airborne.xpm $ convert OneidaGlow.jpg OneidaGlow.xpm and $ convert teapot.xpm teapot.png Using the "display" command showed all conversions to be successful. urpmq --whatrequires didn't show ImageMagick as requiring lib64xpm4, but it did show that Gimp requires it. So, I loaded each image, in turn, converted and original, into Gimp, and it displayed each with no issues. All images looked very nearly identical to the originals. This looks OK to me. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0031.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED