From 515294bb8023a45ff916696d0a14308ff4f3a376 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 6 Jan 2023 12:50:48 -0800 Subject: Fix CVE-2022-4883: compression commands depend on $PATH By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe. In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands. If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges. Signed-off-by: Alan Coopersmith --- src/WrFFrI.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/WrFFrI.c') diff --git a/src/WrFFrI.c b/src/WrFFrI.c index 328c987..d59098f 100644 --- a/src/WrFFrI.c +++ b/src/WrFFrI.c @@ -342,10 +342,10 @@ OpenWriteFile( #ifndef NO_ZPIPE len = strlen(filename); if (len > 2 && !strcmp(".Z", filename + (len - 2))) { - mdata->stream.file = xpmPipeThrough(fd, "compress", NULL, "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_COMPRESS, NULL, "w"); mdata->type = XPMPIPE; } else if (len > 3 && !strcmp(".gz", filename + (len - 3))) { - mdata->stream.file = xpmPipeThrough(fd, "gzip", "-q", "w"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-q", "w"); mdata->type = XPMPIPE; } else #endif -- cgit v1.2.3