[Bugs] [Bug 13269] New: [CVE 21] libxpm 3.5.14 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 17:00:22 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13269

          Platform: 2021.1
            Bug ID: 13269
           Summary: [CVE 21] libxpm 3.5.14  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2022-44617, CVE-2022-46285, CVE-2022-4883,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package libxpm version 3.5.14

INFO (CVEs are): libxpm 3.5.14
 cves found
CVE-2022-44617
Desc: A flaw was found in libXpm. When processing a file with width of 0 and a
very large height, some parser functions will be called repeatedly and can lead
to an infinite loop, resulting in a Denial of Service in the application linked
to the library.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-44617
Severity: HIGH
CVE-2022-46285
Desc: A flaw was found in libXpm. This issue occurs when parsing a file with a
comment not closed; the end-of-file condition will not be detected, leading to
an infinite loop and resulting in a Denial of Service in the application linked
to the library.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-46285
Severity: HIGH
CVE-2022-4883
Desc: A flaw was found in libXpm. When processing files with .Z or .gz
extensions, the library calls external programs to compress and uncompress
files, relying on the PATH environment variable to find these programs, which
could allow a malicious user to execute other programs by manipulating the PATH
environment variable.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-4883
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/9b01f2ae/attachment.html>

Подробная информация о списке рассылки Bugs