libXpm-3.5.13-8.el9

エラータID: AXSA:2023-5006:03

Release date: 
Wednesday, February 8, 2023 - 05:06
Subject: 
libXpm-3.5.13-8.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

X.Org X11 libXpm runtime library.

Security Fix(es):

* libXpm: compression commands depend on $PATH (CVE-2022-4883)
* libXpm: Runaway loop on width of 0 and enormous height (CVE-2022-44617)
* libXpm: Infinite loop on unclosed comments (CVE-2022-46285)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-44617
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2022-46285
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2022-4883
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2022-44617
A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
CVE-2022-46285
A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
CVE-2022-4883
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
Additional Info: 

N/A

Download: 

SRPMS
  1. libXpm-3.5.13-8.el9.src.rpm
    MD5: b5865c4590423661d4e29abbbb62ccfb
    SHA-256: 059a0a6b9ca713bc2fa1279965f35bd36a71a58c172750b97b5f6b1ae95e302f
    Size: 469.35 kB

Asianux Server 9 for x86_64
  1. libXpm-3.5.13-8.el9.x86_64.rpm
    MD5: b4a2339cea5d45659c5f8076411b492d
    SHA-256: c642ae5e7a5a50278abad767e096489669d4a9830e73157a178c0c9e3c107eb5
    Size: 57.28 kB
  2. libXpm-devel-3.5.13-8.el9.x86_64.rpm
    MD5: f30b11220c45c73f1175a9d2ed8643fa
    SHA-256: 0fd9baa6c13f1002f375ea6c9906caa23348a0011f70ecd677c0dc9549f0d1ce
    Size: 33.80 kB
  3. libXpm-3.5.13-8.el9.i686.rpm
    MD5: 30d73ff3e1ee8fa36a20a24f862f0110
    SHA-256: e85446ecd4a5c21a42dfb203e2cc997dcef0ca49a8c3848d187d87825d460686
    Size: 59.68 kB
  4. libXpm-devel-3.5.13-8.el9.i686.rpm
    MD5: d5599addd5c9074be5d952fb16956b84
    SHA-256: 31674876327123c92bbf92e8c89ebe44b2803000b65523b138805b6ab0ca5675
    Size: 34.12 kB