An buga ingantaccen sakin ɗakin karatu na libXpm 3.5.15 wanda aikin X.Org ya haɓaka kuma aka yi amfani da shi don sarrafa fayiloli a cikin tsarin XPM. Sabuwar sigar tana gyara lahani uku, biyu daga cikinsu (CVE-2022-46285, CVE-2022-44617) suna kaiwa ga madauki yayin sarrafa fayilolin XPM na musamman. Rashin lahani na uku (CVE-2022-4883) yana ba da damar yin umarni na sabani lokacin aiwatar da aikace-aikacen da ke amfani da libXpm. Lokacin gudanar da matakai masu gata da ke da alaƙa da libXpm, kamar shirye-shirye tare da tutocin suid, raunin yana ba da damar haɓaka gatansu.
Rashin lahani yana faruwa ne ta hanyar fasalin aikin libXpm tare da fayilolin XPM da aka matsa - lokacin sarrafa fayilolin XPM.Z ko XPM.gz, ɗakin karatu, ta amfani da kiran execlp (), yana ƙaddamar da kayan aikin cire kaya na waje (uncompress ko gunzip), hanyar zuwa. ana ƙididdige shi bisa madaidaicin yanayi na PATH. Harin ya sauko zuwa sanyawa a cikin kundin adireshi mai amfani da ke cikin jerin PATH, fayilolin da ba a haɗa su ba ko gunzip masu aiwatarwa, waɗanda za a aiwatar da su idan an ƙaddamar da aikace-aikacen ta amfani da libXpm.
An daidaita raunin ta hanyar maye gurbin kiran execlp tare da execl ta amfani da cikakkun hanyoyi zuwa kayan aiki. Bugu da ƙari, an ƙara zaɓin ginin "-disable-open-zfile", wanda ke ba ku damar musaki sarrafa fayilolin da aka matsa da kiran abubuwan amfani na waje don buɗewa.
source: budenet.ru