CVE-2022-4883: 
NixOS vulnerability analysis and mitigation

A security vulnerability (CVE-2022-4883) was discovered in libXpm, a library handling X PixMap image format. The vulnerability was disclosed on January 17, 2023. The flaw affects the library's handling of files with .Z or .gz extensions, where it calls external programs to compress and uncompress files using the PATH environment variable to locate these programs (X.Org Advisory).

When processing files with .Z or .gz extensions, libXpm versions 3.5.14 and earlier use execlp() to execute compression and decompression commands, relying on the PATH environment variable to locate these programs. This implementation creates a security risk when the library is used by programs running with elevated privileges, such as setuid programs. The vulnerability has been assigned a CVSS 3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Ubuntu Security).

If exploited, this vulnerability could allow a malicious user to execute arbitrary programs with elevated privileges by manipulating the PATH environment variable. This is particularly concerning when libXpm is called from a program running with raised privileges, such as via setuid, as the attacker-controlled programs would inherit these elevated permissions (X.Org Advisory).

The vulnerability has been fixed in libXpm version 3.5.15. The fix includes changes to how external compression commands are handled and introduces a new configure option --disable-open-zfile that allows completely disabling the code to fork compression and uncompression programs. System administrators are advised to update to the patched version. Additionally, X.Org security team recommends separating code that requires privileges from the GUI to reduce the risk of such vulnerabilities (X.Org Advisory).