Lucene search

K
amazonAmazonALAS-2023-1875
HistoryOct 30, 2023 - 11:31 p.m.

Medium: libXpm

2023-10-3023:31:00
alas.aws.amazon.com
8
libxpm
vulnerability
denial of service
yum update
new packages
cve-2023-43786
cve-2023-43787
cve-2023-43789
infinite loop
integer overflow
heap overflow
out of bounds read

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0

Percentile

5.1%

Issue Overview:

A vulnerability was found in libX11 due to an infinite loop within the PutSubImage() function. This flaw allows a local user to consume all available system resources and cause a denial of service condition. (CVE-2023-43786)

libX11: integer overflow in XCreateImage() leading to a heap overflow. (CVE-2023-43787)

libXpm: out of bounds read on XPM with corrupted colormap (CVE-2023-43789)

Affected Packages:

libXpm

Issue Correction:
Run yum update libXpm to update your system.

New Packages:

i686:  
    libXpm-debuginfo-3.5.10-2.12.amzn1.i686  
    libXpm-devel-3.5.10-2.12.amzn1.i686  
    libXpm-3.5.10-2.12.amzn1.i686  
  
src:  
    libXpm-3.5.10-2.12.amzn1.src  
  
x86_64:  
    libXpm-debuginfo-3.5.10-2.12.amzn1.x86_64  
    libXpm-3.5.10-2.12.amzn1.x86_64  
    libXpm-devel-3.5.10-2.12.amzn1.x86_64  

Additional References

Red Hat: CVE-2023-43786, CVE-2023-43787, CVE-2023-43789

Mitre: CVE-2023-43786, CVE-2023-43787, CVE-2023-43789

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0

Percentile

5.1%