Tokollo e nepahetseng ea laeborari ea libXpm 3.5.15 e ntlafalitsoeng ke projeke ea X.Org le e sebelisoang ho sebetsana le lifaele ka mokhoa oa XPM e phatlalalitsoe. Mofuta o mocha o lokisa likotsi tse tharo, tse peli tsa tsona (CVE-2022-46285, CVE-2022-44617) li lebisang ho loop ha li sebetsana le lifaele tsa XPM tse entsoeng ka mokhoa o khethehileng. Kotsi ea boraro (CVE-2022-4883) e lumella litaelo tse sa reroang hore li sebelisoe ha ho etsoa lits'ebetso tse sebelisang libXpm. Ha o tsamaisa lits'ebetso tse khethehileng tse amanang le libXpm, joalo ka mananeo a nang le folakha ea suid, ho ba kotsing ho etsa hore ho khonehe ho eketsa litokelo tsa bona.
Kotsi e bakoa ke karolo ea mosebetsi oa libXpm o nang le lifaele tsa XPM tse hatelitsoeng - ha o sebetsana le lifaele tsa XPM.Z kapa XPM.gz, laeborari, e sebelisa mohala oa execlp(), e qala lits'ebeletso tsa ho notlolla kantle (uncompress kapa gunzip), tsela eo e eang ho eona. e baloa ho ipapisitsoe le phapang ea tikoloho ea PATH. Tlhaselo e theohela ho beha bukaneng e fumanehang ke mosebelisi e fumanehang lenaneng la PATH, lifaele tsa hau tsa uncompress kapa tsa gunzip, tse tla etsoa haeba kopo e sebelisang libXpm e qalisoa.
Bofokoli bo ile ba lokisoa ka ho khutlisa mohala oa execlp ka execl ho sebelisoa litsela tse felletseng tsa lits'ebeletso. Ho feta moo, khetho ea "-disable-open-zfile" e kentsoe, e u lumellang ho tima ts'ebetso ea lifaele tse hatelitsoeng le ho letsetsa lits'ebeletso tsa kantle bakeng sa ho notlolla.
Source: opennet.ru