Bug 2160213 (CVE-2022-4883) - CVE-2022-4883 libXpm: compression commands depend on $PATH
Summary: CVE-2022-4883 libXpm: compression commands depend on $PATH
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4883
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2160234 2160235 2160236 2160237 2160238 2160239 2160240 2160241 2160242 2161711 2161715
Blocks: 2159932
TreeView+ depends on / blocked
 
Reported: 2023-01-11 19:25 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-03-06 15:13 UTC (History)
3 users (show)

Fixed In Version: libXpm 3.5.15
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
Clone Of:
Environment:
Last Closed: 2023-02-22 16:05:27 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:0454 0 None None None 2023-01-25 14:48:29 UTC
Red Hat Product Errata RHBA-2023:0458 0 None None None 2023-01-25 15:11:46 UTC
Red Hat Product Errata RHBA-2023:0465 0 None None None 2023-01-25 18:08:48 UTC
Red Hat Product Errata RHBA-2023:0474 0 None None None 2023-01-26 17:13:02 UTC
Red Hat Product Errata RHBA-2023:0475 0 None None None 2023-01-26 17:14:34 UTC
Red Hat Product Errata RHBA-2023:0477 0 None None None 2023-01-26 17:16:02 UTC
Red Hat Product Errata RHBA-2023:0478 0 None None None 2023-01-26 17:16:45 UTC
Red Hat Product Errata RHBA-2023:0489 0 None None None 2023-01-30 13:53:53 UTC
Red Hat Product Errata RHBA-2023:0492 0 None None None 2023-01-30 13:56:48 UTC
Red Hat Product Errata RHBA-2023:1077 0 None None None 2023-03-06 15:13:24 UTC
Red Hat Product Errata RHSA-2023:0377 0 None None None 2023-01-23 17:51:55 UTC
Red Hat Product Errata RHSA-2023:0378 0 None None None 2023-01-23 17:55:47 UTC
Red Hat Product Errata RHSA-2023:0379 0 None None None 2023-01-23 17:54:36 UTC
Red Hat Product Errata RHSA-2023:0380 0 None None None 2023-01-23 17:53:28 UTC
Red Hat Product Errata RHSA-2023:0381 0 None None None 2023-01-23 17:56:57 UTC
Red Hat Product Errata RHSA-2023:0382 0 None None None 2023-01-23 17:58:09 UTC
Red Hat Product Errata RHSA-2023:0383 0 None None None 2023-01-23 17:53:55 UTC
Red Hat Product Errata RHSA-2023:0384 0 None None None 2023-01-23 17:52:51 UTC

Description Guilherme de Almeida Suckevicz 2023-01-11 19:25:18 UTC 
By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe.

In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands.  If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges.
Comment 5 Guilherme de Almeida Suckevicz 2023-01-17 17:05:23 UTC 
Created libXpm tracking bugs for this issue:

Affects: fedora-all [bug 2161711]
Comment 6 Guilherme de Almeida Suckevicz 2023-01-17 17:09:37 UTC 
Reference:
https://lists.x.org/archives/xorg-announce/2023-January/003312.html

Upstream patch:
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc
Comment 8 errata-xmlrpc 2023-01-23 17:51:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0377 https://access.redhat.com/errata/RHSA-2023:0377
Comment 9 errata-xmlrpc 2023-01-23 17:52:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0384 https://access.redhat.com/errata/RHSA-2023:0384
Comment 10 errata-xmlrpc 2023-01-23 17:53:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0380 https://access.redhat.com/errata/RHSA-2023:0380
Comment 11 errata-xmlrpc 2023-01-23 17:53:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0383 https://access.redhat.com/errata/RHSA-2023:0383
Comment 12 errata-xmlrpc 2023-01-23 17:54:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0379 https://access.redhat.com/errata/RHSA-2023:0379
Comment 13 errata-xmlrpc 2023-01-23 17:55:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0378 https://access.redhat.com/errata/RHSA-2023:0378
Comment 14 errata-xmlrpc 2023-01-23 17:56:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0381 https://access.redhat.com/errata/RHSA-2023:0381
Comment 15 errata-xmlrpc 2023-01-23 17:58:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0382 https://access.redhat.com/errata/RHSA-2023:0382
Comment 16 Product Security DevOps Team 2023-02-22 16:05:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4883
Note You need to log in before you can comment on or make changes to this bug.