Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7b3fdf01-8189-567d-bf15-ba8478eaba79@oracle.com>
Date: Tue, 17 Jan 2023 08:47:45 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: X.Org Security Advisory: Issues handling XPM files in libXpm
 prior to 3.5.15

For the libXpm 3.5.15 release announcement, see:
https://lists.x.org/archives/xorg-announce/2023-January/003313.html


-------- Forwarded Message --------
Subject: X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15
Date: Tue, 17 Jan 2023 08:41:00 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: xorg-announce@...ts.x.org
CC: xorg@...ts.x.org

X.Org Security Advisory:  January 17, 2023

Issues handling XPM files in libXpm prior to 3.5.15
===================================================

Three issues have been found in the libXpm library code to read XPM files
in libXpm 3.5.14 and earlier releases.

1) CVE-2022-46285: Infinite loop on unclosed comments

When reading XPM images from a file with libXpm 3.5.14 or older, if a
comment in the file is not closed (i.e. a C-style comment starts with
"/*" and is missing the closing "*/"), the ParseComment() function will
loop forever calling getc() to try to read the rest of the comment,
failing to notice that it has returned EOF, which may cause a denial of
service to the calling program.

This issue was found by Marco Ivaldi of the Humanativa Group's HN Security team.

The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148

2) CVE-2022-44617: Runaway loop on width of 0 and enormous height

When reading XPM images from a file with libXpm 3.5.14 or older, if a
image has a width of 0 and a very large height, the ParsePixels() function
will loop over the entire height calling getc() and ungetc() repeatedly,
or in some circumstances, may loop seemingly forever, which may cause a denial
of service to the calling program when given a small crafted XPM file to parse.

This issue was found by Martin Ettl.

The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28
and
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d

3) CVE-2022-4883: compression commands depend on $PATH

By default, on all platforms except MinGW, libXpm will detect if a filename
ends in .Z or .gz, and will when reading such a file fork off an uncompress
or gunzip command to read from via a pipe, and when writing such a file will
fork off a compress or gzip command to write to via a pipe.

In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands.  If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those privileges.

This issue was found by Alan Coopersmith of the Oracle Solaris team.

The fix is provided in
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
and
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc

libXpm 3.5.15 includes fixes for all three of these issues.  It also adds
a new configure option --disable-open-zfile that makes it easy for people
building libXpm to completely disable the code to fork compression and
uncompression programs if they do not have a need for it in their use case.

X.Org thanks all of those who reported and fixed these issues, and those
who helped with the review and release of this advisory and these fixes.

The X.Org security team would like to take this opportunity to remind X client
authors that current best practices suggest separating code that requires
privileges from the GUI, to reduce the risk of issues like CVE-2022-4883.

-- 
      -Alan Coopersmith-              alan.coopersmith@...cle.com
        X.Org Security Response Team - xorg-security@...ts.x.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.