Ukukhishwa okulungisayo kwelabhulali ye-libXpm 3.5.15, ethuthukiswe iphrojekthi ye-X.Org futhi esetshenziselwa ukucubungula amafayela ngefomethi ye-XPM, kushicilelwe. Inguqulo entsha ilungisa ubungozi obuthathu, okubili kwakho (CVE-2022-46285, CVE-2022-44617) kuholela ku-loop lapho kucutshungulwa amafayela e-XPM aklanywe ngokukhethekile. Ukuba sengozini kwesithathu (CVE-2022-4883) kuvumela imiyalo engafanele ukuthi isetshenziswe lapho kusetshenziswa izinhlelo zokusebenza ezisebenzisa i-libXpm. Uma usebenzisa izinqubo ezinelungelo elihlotshaniswa ne-libXpm, isibonelo, izinhlelo ezinefulegi le-suid, ukuba sengozini kwenza kube nokwenzeka ukukhuphula amalungelo omuntu.
Ukuba sengozini kubangelwa indlela i-libXpm esebenza ngayo namafayela e-XPM acindezelwe - lapho kucutshungulwa amafayela e-XPM.Z noma e-XPM.gz, ilabhulali yethula izinsiza zangaphandle ze-uncompress (uncompress noma gunzip) zisebenzisa i-execlp() ikholi, indlela ebalwa ngokususelwa kuyo. kokuguquguquka kwemvelo ye-PATH. Ukuhlasela kubilisa ekubekeni uhla lwemibhalo olufinyeleleka kumsebenzisi, olukhona kuhlu lwe-PATH, amafayela alo angacindezeli noma asebenziseke i-gunzip, azokwenziwa uma uhlelo lokusebenza olusebenzisa i-libXpm lwethulwa.
Ukuba sengozini kwalungiswa ngokushintsha ikholi ye-execlp kwafakwa i-execl kusetshenziswa izindlela eziphelele eziya ezinsizeni. Ukwengeza, inketho yokuhlanganisa "--disable-open-zfile" yengeziwe, ekuvumela ukuthi ukhubaze ukucutshungulwa kwamafayela acindezelwe futhi ubize izinsiza zangaphandle ukuze zikhishwe.
Source: opennet.ru