CINXE.COM

X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML> <HEAD> <TITLE> X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 </TITLE> <LINK REL="Index" HREF="index.html" > <LINK REL="made" HREF="mailto:xorg-announce%40lists.x.org?Subject=Re%3A%20X.Org%20Security%20Advisory%3A%20Issues%20handling%20XPM%20files%20in%20libXpm%20prior%0A%20to%203.5.15&In-Reply-To=%3C20230117164100.GA3834%40also.us.oracle.com%3E"> <META NAME="robots" CONTENT="index,nofollow"> <style type="text/css"> pre { white-space: pre-wrap; /* css-2.1, curent FF, Opera, Safari */ } </style> <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> <LINK REL="Previous" HREF="003311.html"> <LINK REL="Next" HREF="003313.html"> </HEAD> <BODY BGCOLOR="#ffffff"> <H1>X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15</H1> <B>Alan Coopersmith</B> <A HREF="mailto:xorg-announce%40lists.x.org?Subject=Re%3A%20X.Org%20Security%20Advisory%3A%20Issues%20handling%20XPM%20files%20in%20libXpm%20prior%0A%20to%203.5.15&In-Reply-To=%3C20230117164100.GA3834%40also.us.oracle.com%3E" TITLE="X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15">alan.coopersmith at oracle.com </A><BR> <I>Tue Jan 17 16:41:00 UTC 2023</I> <P><UL> <LI>Previous message (by thread): <A HREF="003311.html">[ANNOUNCE] igt-gpu-tools 1.27 </A></li> <LI>Next message (by thread): <A HREF="003313.html">[ANNOUNCE] libXpm 3.5.15 </A></li> <LI> <B>Messages sorted by:</B> <a href="date.html#3312">[ date ]</a> <a href="thread.html#3312">[ thread ]</a> <a href="subject.html#3312">[ subject ]</a> <a href="author.html#3312">[ author ]</a> </LI> </UL> <HR> <!--beginarticle--> <PRE>X.Org Security Advisory: January 17, 2023 Issues handling XPM files in libXpm prior to 3.5.15 =================================================== Three issues have been found in the libXpm library code to read XPM files in libXpm 3.5.14 and earlier releases. 1) CVE-2022-46285: Infinite loop on unclosed comments When reading XPM images from a file with libXpm 3.5.14 or older, if a comment in the file is not closed (i.e. a C-style comment starts with &quot;/*&quot; and is missing the closing &quot;*/&quot;), the ParseComment() function will loop forever calling getc() to try to read the rest of the comment, failing to notice that it has returned EOF, which may cause a denial of service to the calling program. This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team. The fix is provided in <A HREF="https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148">https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148</A> 2) CVE-2022-44617: Runaway loop on width of 0 and enormous height When reading XPM images from a file with libXpm 3.5.14 or older, if a image has a width of 0 and a very large height, the ParsePixels() function will loop over the entire height calling getc() and ungetc() repeatedly, or in some circumstances, may loop seemingly forever, which may cause a denial of service to the calling program when given a small crafted XPM file to parse. This issue was found by Martin Ettl. The fix is provided in <A HREF="https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28">https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28</A> and <A HREF="https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d">https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d</A> 3) CVE-2022-4883: compression commands depend on $PATH By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe. In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands. If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges. This issue was found by Alan Coopersmith of the Oracle Solaris team. The fix is provided in <A HREF="https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669">https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669</A> and <A HREF="https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc">https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc</A> libXpm 3.5.15 includes fixes for all three of these issues. It also adds a new configure option --disable-open-zfile that makes it easy for people building libXpm to completely disable the code to fork compression and uncompression programs if they do not have a need for it in their use case. X.Org thanks all of those who reported and fixed these issues, and those who helped with the review and release of this advisory and these fixes. The X.Org security team would like to take this opportunity to remind X client authors that current best practices suggest separating code that requires privileges from the GUI, to reduce the risk of issues like CVE-2022-4883. -- -Alan Coopersmith- <A HREF="https://lists.x.org/mailman/listinfo/xorg-announce">alan.coopersmith at oracle.com</A> X.Org Security Response Team - <A HREF="https://lists.x.org/mailman/listinfo/xorg-announce">xorg-security at lists.x.org</A> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: not available URL: &lt;<A HREF="https://lists.x.org/archives/xorg-announce/attachments/20230117/09138ec0/attachment.sig">https://lists.x.org/archives/xorg-announce/attachments/20230117/09138ec0/attachment.sig</A>&gt; </PRE> <!--endarticle--> <HR> <P><UL> <!--threads--> <LI>Previous message (by thread): <A HREF="003311.html">[ANNOUNCE] igt-gpu-tools 1.27 </A></li> <LI>Next message (by thread): <A HREF="003313.html">[ANNOUNCE] libXpm 3.5.15 </A></li> <LI> <B>Messages sorted by:</B> <a href="date.html#3312">[ date ]</a> <a href="thread.html#3312">[ thread ]</a> <a href="subject.html#3312">[ subject ]</a> <a href="author.html#3312">[ author ]</a> </LI> </UL> <hr> <a href="https://lists.x.org/mailman/listinfo/xorg-announce">More information about the xorg-announce mailing list</a><br> </body></html>

Pages: 1 2 3 4 5 6 7 8 9 10