SUSE Package Hub - SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-171

Update Info

SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-171

Security update for libXpm

Type: security

Severity: important

Issued: 2023-01-26

Description:

This update for libXpm fixes the following issues:

- CVE-2022-46285: Fixed an infinite loop that could be triggered
  when reading a XPM image with a C-style comment that is never
  closed (bsc#1207029).
- CVE-2022-44617: Fixed an excessive resource consumption that could
  be triggered when reading small crafted XPM image (bsc#1207030).
- CVE-2022-4883: Fixed an issue that made decompression commands
  susceptible to PATH environment variable manipulation attacks
  (bsc#1207031).

References

CVE: CVE-2022-4883
CVE: CVE-2022-46285
CVE: CVE-2022-44617
Bugzilla: 1207031 VUL-0: EMBARGOED: CVE-2022-4883: libXpm: compression commands depend on $PATH
Bugzilla: 1207030 VUL-0: EMBARGOED: CVE-2022-44617: libXpm: Runaway loop on width of 0 and enormous height
Bugzilla: 1207029 VUL-0: EMBARGOED: CVE-2022-46285: libXpm: Infinite loop on unclosed comments

Packages

libXpm-3.5.12-150000.3.7.2