X.org has issued an advisory today (January 17): https://lists.x.org/archives/xorg-announce/2023-January/003312.html The issues are fixed upstream in 3.5.15: https://lists.x.org/archives/xorg-announce/2023-January/003313.html Cauldron has been updated.
Ubuntu has issued an advisory for this on January 17: https://ubuntu.com/security/notices/USN-5807-1
(In reply to David Walser from comment #0) > The issues are fixed upstream in 3.5.15: > Cauldron has been updated. Thanks David. For Mageia 8 assigning globally, no packager in sight for this SRPM.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on January 22: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BJ2J3EVQMPPSES6ILLTGGH5XVLNDMCRP/
Status comment: (none) => Fixed upstream in 3.5.15
Severity: normal => critical
Suggested advisory: ======================== The updated packages fix security vulnerabilities: libXpm incorrectly handled calling external helper binaries. If libXpm was being used by a setuid binary, a local attacker could possibly use this issue to escalate privileges. (CVE-2022-4883) libXpm incorrectly handled certain XPM files. If a user or automated system were tricked into opening a specially crafted XPM file, a remote attacker could possibly use this issue to cause libXpm to stop responding, resulting in a denial of service. (CVE-2022-44617, CVE-2022-46285) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44617 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46285 https://lists.x.org/archives/xorg-announce/2023-January/003312.html https://lists.x.org/archives/xorg-announce/2023-January/003313.html https://ubuntu.com/security/notices/USN-5807-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BJ2J3EVQMPPSES6ILLTGGH5XVLNDMCRP/ ======================== Updated packages in core/updates_testing: ======================== lib(64)xpm4-3.5.15-1.mga8 lib(64)xpm-devel-3.5.15-1.mga8 from SRPM: libxpm-3.5.15-1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 3.5.15 => (none)
Tested in a MGA8-64 Plasma VirtualBox guest. There were no installation issues. libXpm is used to handle image files in the XPM format. I looked on the Internet for some sample files, and found them surprisingly difficult to find. But I did find one, an image of a teapot. So I decided to create them from a couple of my own images, using ImageMagick: $ convert Airborne.jpg Airborne.xpm $ convert OneidaGlow.jpg OneidaGlow.xpm and $ convert teapot.xpm teapot.png Using the "display" command showed all conversions to be successful. urpmq --whatrequires didn't show ImageMagick as requiring lib64xpm4, but it did show that Gimp requires it. So, I loaded each image, in turn, converted and original, into Gimp, and it displayed each with no issues. All images looked very nearly identical to the originals. This looks OK to me. Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0031.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Can you provide details on the potential impact of the CVE-2022-4883, CVE-2022-44617, and CVE-2022-46285 vulnerabilities in libxpm, and are there any recommended interim measures or workarounds for users until a fix is released? https://retrobowl.college
CC: (none) => slopegameorg
CC: slopegameorg => (none)
(In reply to Mageia Robot from comment #6) > An update for this issue has been pushed to the Mageia Updates repository. > https://incrediboxsprunkiphase.org > https://advisories.mageia.org/MGASA-2023-0031.html Been there. Nothing new
CC: (none) => rowanbutler66
CC: rowanbutler66 => (none)
CC: (none) => fri
Touché... :)