diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-01-06 12:50:48 -0800 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-01-12 15:47:43 -0800 |
| commit | 515294bb8023a45ff916696d0a14308ff4f3a376 (patch) | |
| tree | 97c28ec16bd3a548f0ef5638e39d267ffa6c506a /src/WrFFrI.c | |
| parent | f80fa6ae47ad4a5beacb287c0030c9913b046643 (diff) | |
Fix CVE-2022-4883: compression commands depend on $PATH
By default, on all platforms except MinGW, libXpm will detect if a
filename ends in .Z or .gz, and will when reading such a file fork off
an uncompress or gunzip command to read from via a pipe, and when
writing such a file will fork off a compress or gzip command to write
to via a pipe.
In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands. If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those
privileges.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/WrFFrI.c')
| -rw-r--r-- | src/WrFFrI.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/WrFFrI.c b/src/WrFFrI.c index 328c987..d59098f 100644 --- a/src/WrFFrI.c +++ b/src/WrFFrI.c @@ -342,10 +342,10 @@ OpenWriteFile( #ifndef NO_ZPIPE len = strlen(filename); if (len > 2 && !strcmp(".Z", filename + (len - 2))) { - mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); mdata->type = XPMPIPE; } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { - mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); mdata->type = XPMPIPE; } else #endif |