Bug 2160213 (CVE-2022-4883)
| Summary: | CVE-2022-4883 libXpm: compression commands depend on $PATH | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | btissoir, peter.hutterer, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | libXpm 3.5.15 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-02-22 16:05:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2160234, 2160235, 2160236, 2160237, 2160238, 2160239, 2160240, 2160241, 2160242, 2161711, 2161715 | ||
| Bug Blocks: | 2159932 | ||
|
Description
Guilherme de Almeida Suckevicz
2023-01-11 19:25:18 UTC
Created libXpm tracking bugs for this issue: Affects: fedora-all [bug 2161711] Reference: https://lists.x.org/archives/xorg-announce/2023-January/003312.html Upstream patch: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669 https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:0377 https://access.redhat.com/errata/RHSA-2023:0377 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:0384 https://access.redhat.com/errata/RHSA-2023:0384 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:0380 https://access.redhat.com/errata/RHSA-2023:0380 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0383 https://access.redhat.com/errata/RHSA-2023:0383 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0379 https://access.redhat.com/errata/RHSA-2023:0379 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:0378 https://access.redhat.com/errata/RHSA-2023:0378 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:0381 https://access.redhat.com/errata/RHSA-2023:0381 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:0382 https://access.redhat.com/errata/RHSA-2023:0382 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4883 |