Lucene search

K
amazonAmazonALAS-2023-1693
HistoryFeb 17, 2023 - 12:02 a.m.

Important: libXpm

2023-02-1700:02:00
alas.aws.amazon.com
35
libxpm
denial of service
infinite loops
update
cve-2022-44617
cve-2022-46285
cve-2022-4883
external programs
path environment variable
red hat
mitre
unix

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.008

Percentile

82.0%

Issue Overview:

A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library. (CVE-2022-44617)

A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library. (CVE-2022-46285)

A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable. (CVE-2022-4883)

Affected Packages:

libXpm

Issue Correction:
Run yum update libXpm to update your system.

New Packages:

i686:  
    libXpm-3.5.10-2.10.amzn1.i686  
    libXpm-devel-3.5.10-2.10.amzn1.i686  
    libXpm-debuginfo-3.5.10-2.10.amzn1.i686  
  
src:  
    libXpm-3.5.10-2.10.amzn1.src  
  
x86_64:  
    libXpm-3.5.10-2.10.amzn1.x86_64  
    libXpm-devel-3.5.10-2.10.amzn1.x86_64  
    libXpm-debuginfo-3.5.10-2.10.amzn1.x86_64  

Additional References

Red Hat: CVE-2022-44617, CVE-2022-46285, CVE-2022-4883

Mitre: CVE-2022-44617, CVE-2022-46285, CVE-2022-4883

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.008

Percentile

82.0%