Kutulutsidwa kokonza laibulale ya libXpm 3.5.15, yopangidwa ndi pulojekiti ya X.Org komanso yogwiritsidwa ntchito pokonza mafayilo mumtundu wa XPM, kwasindikizidwa. Mtundu watsopano umakonza zovuta zitatu, ziwiri zomwe (CVE-2022-46285, CVE-2022-44617) zimatsogolera ku loop pokonza mafayilo opangidwa mwapadera a XPM. Chiwopsezo chachitatu (CVE-2022-4883) chimalola kuti malamulo osamveka atsatidwe polemba mapulogalamu omwe amagwiritsa ntchito libXpm. Mukamagwiritsa ntchito mwayi wokhudzana ndi libXpm, mwachitsanzo, mapulogalamu okhala ndi mbendera ya suid, kusatetezeka kumapangitsa kuti munthu achulukitse mwayi wake.
Chiwopsezochi chimayamba chifukwa cha momwe libXpm imagwirira ntchito ndi mafayilo oponderezedwa a XPM - mukakonza mafayilo a XPM.Z kapena XPM.gz, laibulale imakhazikitsa zida zakunja (uncompress kapena gunzip) pogwiritsa ntchito kuyimba kwa execlp(), njira yomwe imawerengedwa motengera pa PATH chilengedwe variable. Kuwukiraku kumafikira kuyika chikwatu chomwe chimafikiridwa ndi wogwiritsa ntchito, chomwe chili pamndandanda wa PATH, mafayilo ake osakhazikika kapena a gunzip, omwe adzaperekedwa ngati pulogalamu yogwiritsa ntchito libXpm yakhazikitsidwa.
Chiwopsezocho chinakhazikitsidwa posintha foni ya execlp ndikuyika execl pogwiritsa ntchito njira zonse zopita kuzinthu zofunikira. Kuphatikiza apo, njira ya msonkhano "--disable-open-zfile" yawonjezedwa, yomwe imakulolani kuti muyimitse kukonza mafayilo oponderezedwa ndikuyitanitsa zida zakunja kuti mutulutse.
Source: opennet.ru