From 515294bb8023a45ff916696d0a14308ff4f3a376 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 6 Jan 2023 12:50:48 -0800 Subject: Fix CVE-2022-4883: compression commands depend on $PATH By default, on all platforms except MinGW, libXpm will detect if a filename ends in .Z or .gz, and will when reading such a file fork off an uncompress or gunzip command to read from via a pipe, and when writing such a file will fork off a compress or gzip command to write to via a pipe. In libXpm 3.5.14 or older these are run via execlp(), relying on $PATH to find the commands. If libXpm is called from a program running with raised privileges, such as via setuid, then a malicious user could set $PATH to include programs of their choosing to be run with those privileges. Signed-off-by: Alan Coopersmith --- configure.ac | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'configure.ac') diff --git a/configure.ac b/configure.ac index 2f90a68..e6b6509 100644 --- a/configure.ac +++ b/configure.ac @@ -49,6 +49,14 @@ if test "x$USE_GETTEXT" = "xyes" ; then fi AM_CONDITIONAL(USE_GETTEXT, test "x$USE_GETTEXT" = "xyes") +dnl Helper macro to find absolute path to program and add a #define for it +AC_DEFUN([XPM_PATH_PROG],[ +AC_PATH_PROG([$1], [$2], []) +AS_IF([test "x$$1" = "x"], + [AC_MSG_ERROR([$2 not found, set $1 or use --disable-stat-zfile])]) +AC_DEFINE_UNQUOTED([$1], ["$$1"], [Path to $2]) +]) dnl End of AC_DEFUN([XPM_PATH_PROG]... + # Optional feature: When a filename ending in .Z or .gz is requested, # open a pipe to a newly forked compress/uncompress/gzip/gunzip command to # handle it. @@ -65,6 +73,12 @@ AC_MSG_RESULT([$OPEN_ZFILE]) AM_CONDITIONAL(COMPRESSED_PIXMAPS, test "x$OPEN_ZFILE" = "xyes") if test x$OPEN_ZFILE = xno ; then AC_DEFINE(NO_ZPIPE, 1, [Define to 1 to disable decompression via pipes]) +else + XPM_PATH_PROG([XPM_PATH_COMPRESS], [compress]) + XPM_PATH_PROG([XPM_PATH_UNCOMPRESS], [uncompress]) + XPM_PATH_PROG([XPM_PATH_GZIP], [gzip]) + XPM_PATH_PROG([XPM_PATH_GUNZIP], [gunzip]) + AC_CHECK_FUNCS([closefrom close_range], [break]) fi # Optional feature: When ___.xpm is requested, also look for ___.xpm.Z & .gz -- cgit v1.2.1