ALT-BU-2023-2298-1
Branch sisyphus_e2k update bulletin.
Package libXpm updated to version 3.5.15-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2023-00388
Уязвимость библиотеки для работы с файлами изображений X Pixmap (XPM) libXpm, связанная с недоверенными путями поиска, позволяющая нарушителю выполнять произвольный код с повышенными привилегиями
BDU:2023-00389
Уязвимость функции ParsePixels () библиотеки для работы с файлами изображений X Pixmap (XPM) libXpm, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-00390
Уязвимость функции ParseComment() библиотеки для работы с файлами изображений X Pixmap (XPM) libXpm, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-03-25
CVE-2022-44617
A flaw was found in libXpm. When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.
- https://bugzilla.redhat.com/show_bug.cgi?id=2160193
- https://bugzilla.redhat.com/show_bug.cgi?id=2160193
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb28
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- [debian-lts-announce] 20230620 [SECURITY] [DLA 3459-1] libxpm security update
- [debian-lts-announce] 20230620 [SECURITY] [DLA 3459-1] libxpm security update
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
Modified: 2025-03-25
CVE-2022-46285
A flaw was found in libXpm. This issue occurs when parsing a file with a comment not closed; the end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.
- [oss-security] 20231003 Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17
- [oss-security] 20231003 Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17
- [oss-security] 20231003 Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17
- [oss-security] 20231003 Re: Fwd: X.Org Security Advisory: Issues in libX11 prior to 1.8.7 & libXpm prior to 3.5.17
- https://bugzilla.redhat.com/show_bug.cgi?id=2160092
- https://bugzilla.redhat.com/show_bug.cgi?id=2160092
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d7650148
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- [debian-lts-announce] 20230620 [SECURITY] [DLA 3459-1] libxpm security update
- [debian-lts-announce] 20230620 [SECURITY] [DLA 3459-1] libxpm security update
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
Modified: 2025-03-20
CVE-2022-4883
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
- https://bugzilla.redhat.com/show_bug.cgi?id=2160213
- https://bugzilla.redhat.com/show_bug.cgi?id=2160213
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
- [debian-lts-announce] 20230620 [SECURITY] [DLA 3459-1] libxpm security update
- [debian-lts-announce] 20230620 [SECURITY] [DLA 3459-1] libxpm security update
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
- https://lists.x.org/archives/xorg-announce/2023-January/003312.html
Package pkgconf updated to version 1.9.4-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2023-02340
Уязвимость функции pkgconf_tuple_parse (libpkgconf/tuple.c) программного средства настройки флагов компилятора и компоновщика для библиотек разработки pkgconf, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2025-04-02
CVE-2023-24056
In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.
- https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059
- https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059
- https://github.com/pkgconf/pkgconf/tags
- https://github.com/pkgconf/pkgconf/tags
- https://nullprogram.com/blog/2023/01/18/
- https://nullprogram.com/blog/2023/01/18/
Package libcgroup updated to version 2.0.3-alt1 for branch sisyphus_e2k.
Closed bugs
Read /etc/cgconfig.d/* on start/stop
Package sudo updated to version 1.9.12p2-alt1 for branch sisyphus_e2k.
Closed vulnerabilities
BDU:2023-00210
Уязвимость функции sudoedit программы системного администрирования Sudo, позволяющая нарушителю повысить свои привилегии
Modified: 2025-04-04
CVE-2023-22809
In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
- http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html
- http://packetstormsecurity.com/files/171644/sudo-1.9.12p1-Privilege-Escalation.html
- http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html
- http://packetstormsecurity.com/files/172509/Sudoedit-Extra-Arguments-Privilege-Escalation.html
- http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html
- http://packetstormsecurity.com/files/174234/Cisco-ThousandEyes-Enterprise-Agent-Virtual-Appliance-Arbitrary-File-Modification.html
- 20230817 KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit
- 20230817 KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit
- [oss-security] 20230119 CVE-2023-22809: Sudoedit can edit arbitrary files
- [oss-security] 20230119 CVE-2023-22809: Sudoedit can edit arbitrary files
- [debian-lts-announce] 20230118 [SECURITY] [DLA 3272-1] sudo security update
- [debian-lts-announce] 20230118 [SECURITY] [DLA 3272-1] sudo security update
- FEDORA-2023-9078f609e6
- FEDORA-2023-9078f609e6
- FEDORA-2023-298c136eee
- FEDORA-2023-298c136eee
- GLSA-202305-12
- GLSA-202305-12
- https://security.netapp.com/advisory/ntap-20230127-0015/
- https://security.netapp.com/advisory/ntap-20230127-0015/
- https://support.apple.com/kb/HT213758
- https://support.apple.com/kb/HT213758
- DSA-5321
- DSA-5321
- https://www.sudo.ws/security/advisories/sudoedit_any/
- https://www.sudo.ws/security/advisories/sudoedit_any/
- https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
- https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
Closed bugs
уязвимость (CVE-2023-22809)