<html>
    <head>
      <base href="https://bugzilla.rosalinux.ru/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Platform</th>
          <td>2021.1
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_CONFIRMED "
   title="CONFIRMED - [CVE 21] libxpm 3.5.14 CVEs found"
   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13269">13269</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[CVE 21] libxpm 3.5.14  CVEs found
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>ROSA-based products
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>ROSA Fresh
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>URL</th>
          <td>CVE-2022-44617, CVE-2022-46285, CVE-2022-4883,
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>CONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>System (kernel, glibc, systemd, bash, PAM...)
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Flags</th>
          <td>secteam_verified?
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Please patch CVEs for package libxpm version 3.5.14

INFO (CVEs are): libxpm 3.5.14
 cves found
CVE-2022-44617
Desc: A flaw was found in libXpm. When processing a file with width of 0 and a
very large height, some parser functions will be called repeatedly and can lead
to an infinite loop, resulting in a Denial of Service in the application linked
to the library.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-44617">https://nvd.nist.gov/vuln/detail/CVE-2022-44617</a>
Severity: HIGH
CVE-2022-46285
Desc: A flaw was found in libXpm. This issue occurs when parsing a file with a
comment not closed; the end-of-file condition will not be detected, leading to
an infinite loop and resulting in a Denial of Service in the application linked
to the library.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-46285">https://nvd.nist.gov/vuln/detail/CVE-2022-46285</a>
Severity: HIGH
CVE-2022-4883
Desc: A flaw was found in libXpm. When processing files with .Z or .gz
extensions, the library calls external programs to compress and uncompress
files, relying on the PATH environment variable to find these programs, which
could allow a malicious user to execute other programs by manipulating the PATH
environment variable.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-4883">https://nvd.nist.gov/vuln/detail/CVE-2022-4883</a>
Severity: HIGH</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>