Fix CVE-2022-4883: compression commands depend on $PATH

By default, on all platforms except MinGW, libXpm will detect if a
filename ends in .Z or .gz, and will when reading such a file fork off
an uncompress or gunzip command to read from via a pipe, and when
writing such a file will fork off a compress or gzip command to write
to via a pipe.

In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH
to find the commands.  If libXpm is called from a program running with
raised privileges, such as via setuid, then a malicious user could set
$PATH to include programs of their choosing to be run with those
privileges.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 12 insertions, 0 deletions

diff --git a/README.md b/README.md
index 7895350..30fdd8e 100644
--- a/README.md
+++ b/README.md
@@ -31,3 +31,15 @@ if it can't find the file it was asked to open.  It relies on the
 --enable-open-zfile feature to open the file, and is enabled by default
 when --enable-open-zfile is enabled, and can be disabled by passing the
 --disable-stat-zfile flag to the configure script.
+
+All of these commands will be executed with whatever userid & privileges the
+function is called with, relying on the caller to ensure the correct euid,
+egid, etc. are set before calling.
+
+To reduce risk, the paths to these commands are now set at configure time to
+the first version found in the PATH used to run configure, and do not depend
+on the PATH environment variable set at runtime.
+
+To specify paths to be used for these commands instead of searching $PATH, pass
+the XPM_PATH_COMPRESS, XPM_PATH_UNCOMPRESS, XPM_PATH_GZIP, and XPM_PATH_GUNZIP
+variables to the configure command.