A corrective release of the libXpm 3.5.15 library developed by the X.Org project and used to process files in the XPM format has been published. The new version fixes three vulnerabilities, two of which (CVE-2022-46285, CVE-2022-44617) lead to a loop when processing specially crafted XPM files. The third vulnerability (CVE-2022-4883) allows arbitrary commands to be run when executing applications that use libXpm. When running privileged processes associated with libXpm, such as programs with the suid root flag, the vulnerability makes it possible to escalate their privileges.
The vulnerability is caused by a feature of libXpm's work with compressed XPM files - when processing XPM.Z or XPM.gz files, the library, using the execlp() call, launches external unpacking utilities (uncompress or gunzip), the path to which is calculated based on the PATH environment variable. The attack comes down to placing in a user-accessible directory present in the PATH list, own uncompress or gunzip executable files, which will be executed if an application using libXpm is launched.
The vulnerability was fixed by replacing the execlp call with execl using absolute paths to utilities. Additionally, the build option β-disable-open-zfileβ has been added, which allows you to disable the processing of compressed files and calling external utilities for unpacking.
Source: opennet.ru