Bug 13269

Summary: [CVE 21] libxpm 3.5.14 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: High CC: a.proklov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: 2021.1 Fresh R12   
Hardware: All   
OS: Linux   
URL: CVE-2022-44617, CVE-2022-46285, CVE-2022-4883,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:00:22 MSK 
Please patch CVEs for package libxpm version 3.5.14
  
INFO (CVEs are): libxpm 3.5.14
 cves found
CVE-2022-44617
Desc: A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-44617
Severity: HIGH
CVE-2022-46285
Desc: A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-46285
Severity: HIGH
CVE-2022-4883
Desc: A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-4883
Severity: HIGH
Comment 1 Svyatoslav Matveev 2023-05-24 12:05:53 MSK 
********** QA ADVISORY **********

Cve закрыто патчами.

*** libxpm

https://abf.io/build_lists/4443364
https://abf.io/build_lists/4443365
https://abf.io/build_lists/4443363
https://abf.io/build_lists/4443367
https://abf.io/build_lists/4443366
Comment 2 Dmitry Postnikov 2023-05-24 16:10:01 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-30 18:01:21 MSK 
libxpm-3.5.14-2
https://abf.io/build_lists/4443364
https://abf.io/build_lists/4443365
https://abf.io/build_lists/4443363
https://abf.io/build_lists/4443367
https://abf.io/build_lists/4443366
************************** Advisory **********************
CVEs fixed
**********************************************************
QA Verified
Comment 4 Yury 2023-07-25 13:58:04 MSK 
Secteam Verified