6495 – [Anolis OS 7] Bugfix for CVE-2022-4883

Bug 6495 - [Anolis OS 7] Bugfix for CVE-2022-4883

Summary: [Anolis OS 7] Bugfix for CVE-2022-4883

Status:	NEW

Alias:	None

Product:	Anolis OS 7
Classification:	Anolis OS
Component:	BaseOS Packages (show other bugs)	BaseOS Packages
Sub Component:
Version:	7.7
Hardware:	All Linux

Importance:	P2-High S2-major
Target Milestone:	---
Assignee:	杨晓旋
QA Contact:	杨晓旋

URL:
Whiteboard:
Keywords:	CVE

Depends on:
Blocks:

Reported:	2023-09-08 14:41 UTC by 小龙
Modified:	2023-09-08 14:41 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description 小龙 admin

2023-09-08 14:41:30 UTC

Description:
A flaw was found in libXpm. When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.

Broken commit info:

Bugfix commit info:
https://bugzilla.suse.com/attachment.cgi?id=864083
https://bugzilla.suse.com/attachment.cgi?id=864028
https://bugzilla.suse.com/attachment.cgi?id=864027
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc