libxpm is vulnerable to Remote Code Execution(RCE). When processing .Z
or .gz
file extensions, the library calls external programs to compress and uncompress files. This could allow a malicious user to execute other programs by manipulating the PATH environment variable.
bugzilla.redhat.com/show_bug.cgi?id=2160213
gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff91669
gitlab.freedesktop.org/xorg/lib/libxpm/-/merge_requests/9
lists.debian.org/debian-lts-announce/2023/06/msg00021.html
lists.x.org/archives/xorg-announce/2023-January/003312.html
secdb.alpinelinux.org/edge/main.yaml
secdb.alpinelinux.org/v3.14/main.yaml
secdb.alpinelinux.org/v3.15/main.yaml
secdb.alpinelinux.org/v3.16/main.yaml
secdb.alpinelinux.org/v3.17/main.yaml