Bug 32359 - libXpm new security issues CVE-2023-4378[89]
Summary: libXpm new security issues CVE-2023-4378[89]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-10-09 15:58 CEST by Nicolas Salguero
Modified: 2023-10-20 10:35 CEST (History)
6 users (show)

See Also:
Source RPM: libxpm-3.5.15-1.mga9.src.rpm
CVE:
Status comment:

Attachments
sample xpm file (35.38 KB, image/x-xpixmap)
2023-10-14 14:33 CEST, Herman Viaene 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-10-09 15:58:54 CEST 
Hi,

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2023/10/03/1

Best regards,

Nico.
Nicolas Salguero 2023-10-09 15:59:19 CEST

Source RPM: (none) => libxpm-3.5.15-1.mga9.src.rpm
CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO

Comment 1 Lewis Smith 2023-10-09 20:16:58 CEST 
No packager in evidence, assigning globally.

Status comment: (none) => Fixed in libXpm 3.5.17
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2023-10-11 11:59:57 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A vulnerability was found in libXpm due to a boundary condition within the XpmCreateXpmImageFromBuffer() function. This flaw allows a local to trigger an out-of-bounds read error and read the contents of memory on the system. (CVE-2023-43788)

Out of bounds read on XPM with corrupted colormap. (CVE-2023-43789)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43789
https://www.openwall.com/lists/oss-security/2023/10/03/1
========================

Updated packages in {8|9}/core/updates_testing:
========================
lib(64)xpm4-3.5.15-1.1.mga{8|9}
lib(64)xpm-devel-3.5.15-1.1.mga{8|9}

from SRPM:
libxpm-3.5.15-1.1.mga{8|9}.src.rpm

Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 9
Status: NEW => ASSIGNED
Status comment: Fixed in libXpm 3.5.17 => (none)

Comment 3 Marja Van Waes 2023-10-12 11:34:30 CEST 
Advisory from comment 2 added to SVN. Please remove the "advisory" keyword if it needs to be changed.

Keywords: (none) => advisory
CC: (none) => marja11

Comment 4 Herman Viaene 2023-10-14 14:32:21 CEST 
MGA9-64 Xfce on Acer Aspire 5253
No installation issues
Ref bug 31425 Comment 5 for testing.
I will upload the sample xpm file found at https://people.math.sc.edu/Burkardt/data/xpm/xpm.html.
$ convert shelt0001.jpeg shelt0001.xpm
$ convert shelt0003.jpeg shelt0003.xpm
$ convert teapot.xpm teapot.jpg
$ convert pasfotoriet.tif pasfotoriet.xpm
All files, originals and converted, look OK with the display command and in  GIMP. So OK for me.

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK
CC: (none) => herman.viaene

Comment 5 Herman Viaene 2023-10-14 14:33:17 CEST 
Created attachment 14053 [details]
sample xpm file
PC LX 2023-10-16 12:31:53 CEST

CC: (none) => mageia

Comment 6 Thomas Andrews 2023-10-20 02:25:59 CEST 
MGA8-64 Plasma, in VirtualBox. No installation issues.

I still had the xpm images I created for bug 31425, and I created a couple of more this time. All images, both original and converted, displayed properly in Gimp

Giving this another OK, and validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 7 Mageia Robot 2023-10-20 10:35:58 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0292.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.