Bug 891209 (CVE-2022-44617, CVE-2022-46285, CVE-2022-4883)

Summary:	<x11-libs/libXpm-3.5.16: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	maracay
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openwall.com/lists/oss-security/2023/01/17/2
Whiteboard:	A3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	907616
Bug Blocks:

Description John Helmert III archtester

2023-01-17 17:18:58 UTC

"1) CVE-2022-46285: Infinite loop on unclosed comments
2) CVE-2022-44617: Runaway loop on width of 0 and enormous height
3) CVE-2022-4883: compression commands depend on $PATH"

Please bump to 3.5.15.

Comment 1 Sam James archtester

2023-02-05 16:46:19 UTC

ping. I did take a look at this but couldn't do it myself as was unsure what to do wrt new config options.

Comment 2 Larry the Git Cow gentoo-dev

2023-04-17 20:35:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=414462335909ac1cdfa276058238304228c7b129

commit 414462335909ac1cdfa276058238304228c7b129
Author:     Matt Turner <mattst88@gentoo.org>
AuthorDate: 2023-04-17 20:33:54 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2023-04-17 20:34:56 +0000

    x11-libs/libXpm: Version bump to 3.5.16
    
    Bug: https://bugs.gentoo.org/891209
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 x11-libs/libXpm/Manifest             |  1 +
 x11-libs/libXpm/libXpm-3.5.16.ebuild | 41 ++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)

Comment 3 Matt Turner gentoo-dev

2024-01-18 18:13:53 UTC

commit 08bafdc67f518b3159d0ae291d6a8bfe29f95213
Author: Matt Turner <mattst88@gentoo.org>
Date:   Mon Jun 5 11:30:22 2023 -0400

    x11-libs/libXpm: Drop old versions