Bugzilla – Bug 1207030
VUL-0: CVE-2022-44617: libXpm: Runaway loop on width of 0 and enormous height
Last modified: 2024-05-03 09:36:13 UTC
Thank. Similar to bsc#1207029 there is an additional patch 0003-test-add-test-cases-for-CVE-2022-44617-zero-width-w-.patch which patchtes a non-existing test/ subdir in the libXpm tarball. What should I do with it?
(In reply to Stefan Dirsch from comment #4) > Thank. Similar to bsc#1207029 there is an additional patch > > 0003-test-add-test-cases-for-CVE-2022-44617-zero-width-w-.patch > > which patchtes a non-existing test/ subdir in the libXpm tarball. What > should I do with it? Seems like the test directory has been added very recently: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/501494c6c68a84114fdd0b44d4b67ef9cde776c9
(In reply to Thomas Leroy from comment #5) > (In reply to Stefan Dirsch from comment #4) > > Thank. Similar to bsc#1207029 there is an additional patch > > > > 0003-test-add-test-cases-for-CVE-2022-44617-zero-width-w-.patch > > > > which patchtes a non-existing test/ subdir in the libXpm tarball. What > > should I do with it? > > Seems like the test directory has been added very recently: > https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/ > 501494c6c68a84114fdd0b44d4b67ef9cde776c9 Thanks! Meanwhile I noticed myself. So I won't add this patch.
Submitted now to sle15, sle12 and sle11.
I will submit also to obs://X11:XOrg/libXpm and forward to factory/TW once it has been officially announced. Reassigning to security team now.
Upstream discussion: "Further testing & review by X.Org security team members Matthieu Herrb and Peter Hutterer found that once the runaway loop is fixed, code paths that deal with XImages (such as our sxpm sample program) could lead to a double free on the error path we now take, so we will be adding the following additional patch in the 3.5.15 release to prevent that."
Created attachment 864085 [details] regression patch
I just resubmitted with the regression patch.
And another regression with this patch series... I'm not aware of any CRD postponing Peter Hutterer found another issue with the proposed patches, so one more patch will be added to this set. I've attached a tarball with the latest version of all the patches in this set - the new patch is in that tarball as 0007-Use-gzip-d-instead-of-gunzip.patch - Peter's explanation for this issue follows. I've also added a reminder to our advisory: The X.Org security team would like to take this opportunity to remind X client authors that current best practices suggest separating code that requires privileges from the GUI, to reduce the risk of issues like CVE-2022-4883. -Alan Coopersmith- alan.coopersmith@oracle.com X.Org Security Response Team - xorg-security@lists.x.org -------- Forwarded Message -------- Subject: Re: Embargoed X.Org Security Advisory: Issues handling XPM files in libXpm prior to 3.5.15 Date: Mon, 16 Jan 2023 20:09:24 +1000 From: Peter Hutterer <peter.hutterer@redhat.com> To: xorg-security@lists.x.org, Alan Coopersmith <alan.coopersmith@oracle.com> On 11/1/23 04:06, Alan Coopersmith wrote: > 3) CVE-2022-4883: compression commands depend on $PATH > > By default, on all platforms except MinGW, libXpm will detect if a filename > ends in .Z or .gz, and will when reading such a file fork off an uncompress > or gunzip command to read from via a pipe, and when writing such a file will > fork off a compress or gzip command to write to via a pipe. > > In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH > to find the commands. If libXpm is called from a program running with > raised privileges, such as via setuid, then a malicious user could set > $PATH to include programs of their choosing to be run with those privileges. Apologies for the late notice but I just found out that this only fixes the issue on *our* side but the exploit still works with GNU gzip [0], i.e. on a typical Linux installation. A quick check of FreeBSD's source [1] shows that it's implementation of gunzip is not affected since it uses argv0 instead, don't know about Solaris. Anyway: libXpm now correctly calls /usr/bin/gunzip <filename>. Except: $ file /usr/bin/gunzip /usr/bin/gunzip: POSIX shell script, ASCII text executable $ tail -1 /usr/bin/gunzip exec gzip -d "$@" So, we now call the correct gunzip which will then call whichever gzip is in $PATH. Oops. Simple reproducer: # let's get a working xpm file from xterm $ cp /usr/share/pixmaps/xterm_48x48.xpm . $ gzip xterm_48x48.xpm $ echo "echo 'FAIL' > /tmp/gzip.tmp; exit 1" > gzip $ PATH="$PWD:$PATH" cxpm xterm_48x48.xpm.gz Xpm Error: Invalid XPM file. Error found line 1 near character 1 $ cat /tmp/gzip.tmp FAIL This is clearly a GNU gzip bug but I think we should change our patch to call `gzip -d` explicitly, see attached. Otherwise all the Linux distros will have to carry that patch separately. I think that's compatible enough or does a case exist where gzip -d doesn't work but gunzip would? Alan: I'm fine with squashing this into yours instead of a separate patch, either way works for me. Cheers, Peter [0] https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in [1] https://github.com/freebsd/freebsd-src/tree/main/usr.bin/gzip
Created attachment 864166 [details] 2022-01-17: new patch series
I resubmitted with the new regression patch.
https://seclists.org/oss-sec/2023/q1/32
Submitted to devel project and factory/Tumbleweed.
This is an autogenerated message for OBS integration: This bug (1207030) was mentioned in https://build.opensuse.org/request/show/1059036 Factory / libXpm
SUSE-SU-2023:0165-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1207029,1207030,1207031 CVE References: CVE-2022-44617,CVE-2022-46285,CVE-2022-4883 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): libXpm-3.5.11-6.7.1 SUSE OpenStack Cloud 9 (src): libXpm-3.5.11-6.7.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libXpm-3.5.11-6.7.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): libXpm-3.5.11-6.7.1 SUSE Linux Enterprise Server 12-SP5 (src): libXpm-3.5.11-6.7.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): libXpm-3.5.11-6.7.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): libXpm-3.5.11-6.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0171-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1207029,1207030,1207031 CVE References: CVE-2022-44617,CVE-2022-46285,CVE-2022-4883 JIRA References: Sources used: openSUSE Leap 15.4 (src): libXpm-3.5.12-150000.3.7.2 SUSE Manager Server 4.2 (src): libXpm-3.5.12-150000.3.7.2 SUSE Manager Retail Branch Server 4.2 (src): libXpm-3.5.12-150000.3.7.2 SUSE Manager Proxy 4.2 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Workstation Extension 15-SP4 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Server for SAP 15-SP3 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Server for SAP 15-SP2 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Server for SAP 15-SP1 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Server 15-SP3-LTSS (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Server 15-SP2-LTSS (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Realtime Extension 15-SP3 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): libXpm-3.5.12-150000.3.7.2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libXpm-3.5.12-150000.3.7.2 SUSE Enterprise Storage 7.1 (src): libXpm-3.5.12-150000.3.7.2 SUSE Enterprise Storage 7 (src): libXpm-3.5.12-150000.3.7.2 SUSE Enterprise Storage 6 (src): libXpm-3.5.12-150000.3.7.2 SUSE CaaS Platform 4.0 (src): libXpm-3.5.12-150000.3.7.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing