CVE-2022-4883

Name
CVE-2022-4883
Description
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.redhat.com/show_bug.cgi?id=2160213
MISC https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
MISC https://lists.x.org/archives/xorg-announce/2023-January/003312.html
MISC https://gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
MLIST https://lists.debian.org/debian-lts-announce/2023/06/msg00021.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:x.org:libxpm:*:*:*:*:*:*:*:* libxpm >= None < 3.5.15

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libxpm 3.17-main 3.5.15-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
libxpm 3.16-main 3.5.15-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
libxpm 3.15-main 3.5.15-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
libxpm 3.14-main 3.5.15-r0 Natanael Copa <ncopa@alpinelinux.org> fixed