-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 19 Jun 2023 20:27:53 +0000 Source: libxpm Architecture: source Version: 1:3.5.12-1+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Debian X Strike Force <debian-x@lists.debian.org> Changed-By: Bastien Roucaries <rouca@debian.org> Changes: libxpm (1:3.5.12-1+deb10u1) buster-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * Switch to dpkg-source 3.0 (quilt) format * Fix CVE-2022-4883: When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable. * Fix CVE-2022-44617: When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library. * Fix CVE-2022-46285: when parsing a file with a comment not closed an end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library. Checksums-Sha1: 2f2ff124f2e28ae9593489060ec13136dace216f 2147 libxpm_3.5.12-1+deb10u1.dsc c837dfca61080a40031a3d9a83ea284acb619ab7 529302 libxpm_3.5.12.orig.tar.gz 439209b8bcb035bea7c41d87d7a734668176360b 14652 libxpm_3.5.12-1+deb10u1.debian.tar.xz 467a6c34e893ade9873c19485ac2a7bf27127af0 7552 libxpm_3.5.12-1+deb10u1_amd64.buildinfo Checksums-Sha256: 1680c3d9450181a0972dae12382d905964886122b355b0d97a8391d7fbe5e7de 2147 libxpm_3.5.12-1+deb10u1.dsc 2523acc780eac01db5163267b36f5b94374bfb0de26fc0b5a7bee76649fd8501 529302 libxpm_3.5.12.orig.tar.gz b6e7d84a9db00a9c8832a22c113eabaa717263ee62bc7fe4c15ff12521a351fd 14652 libxpm_3.5.12-1+deb10u1.debian.tar.xz d7fc0b9a176fb49f0df7f26de62a1c5a2954722bedbcd5c3b904977176eb075b 7552 libxpm_3.5.12-1+deb10u1_amd64.buildinfo Files: 80af1320e15a459f5bc528929b6dbb7f 2147 x11 optional libxpm_3.5.12-1+deb10u1.dsc b286c884b11b5a0b4371175c5327141f 529302 x11 optional libxpm_3.5.12.orig.tar.gz 700d9b51c80576ee58fce3ff75de16bc 14652 x11 optional libxpm_3.5.12-1+deb10u1.debian.tar.xz f63f9dca7e838487b6bf0fc31ef5b25f 7552 x11 optional libxpm_3.5.12-1+deb10u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmSQ178RHHJvdWNhQGRl Ymlhbi5vcmcACgkQADoaLapBCF9PPBAAn5qnWpEJBF4FICcrvJZhlpEVHZ+/Slyt NTHjd2a9hT7lMuC8iLvH5elroLkpRAzp55oqHQHG/A+80M7DR0q4HPlmDTPaStWV W0x4LFtz051m29/ywuY1kI/HF0sVjk7SaFbUemqnDdwxye3DD9jVJJpNt7shTw7i nqYZTlbNv9QPSYnN1D1NDZDbSRK0Ifj6i9uYnfj/hMMZQ1kCsCfIRKzKzWFlWKAZ l8z3H6Y6t9nDsnwUIk3gdjlKMFAm5PwuirUJWpiG0wzPwnkZT6GF8B5GIpnlbmxz rLRSvamT12M4C56Xl9GoRtDGZt0oh+XrmVJENa9T+Wa1Ou3IuHk2MOatdOnBHBAf vdfsX4znfaNPxVVGkMg+jsBYwusIP6+untyvqwWVHRGdXx4Tk0EczGEPELCLw+Ue OQRZcY0gyAz6qZPxuBsXLa2hHwweXRAEkZjtq9i1mqVGr8zskr/W4tvn5gkOepuV fkoxSbr27sf9kE9wOphZY/N0/iYNmnwqaGseGuXyhut7fPy5b2qZGT/+ttmeHRw8 aihN/3znwnql4Ae4RbwwbJ+Ieghg2/SXv/TvQ/yyV11JRvr86zZ6d6xpvf3iEU+L CON1ApypVW5ggazWh7+PN6WHy+fmWYXW9plcXrouZCuhaDtKj1ZQNDFnrpwIalH4 N2B2XW42ebw= =uEcY -----END PGP SIGNATURE-----