openEuler update for motif
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-44617 CVE-2022-46285 |
| CWE-ID | CWE-835 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
openEuler Operating systems & Components / Operating system motif-help Operating systems & Components / Operating system package or component motif-devel Operating systems & Components / Operating system package or component motif-debugsource Operating systems & Components / Operating system package or component motif-debuginfo Operating systems & Components / Operating system package or component motif Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Infinite loop
EUVDB-ID: #VU71235
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-44617
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the ParsePixels() function when handling XPM files with width set to 0 and a very large height value. A remote attacker can trick the victim to open a specially crafted XPM file and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP4 - 24.03 LTS
motif-help: before 2.3.8-6
motif-devel: before 2.3.8-6
motif-debugsource: before 2.3.8-6
motif-debuginfo: before 2.3.8-6
motif: before 2.3.8-6
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:
- cpe:2.3:o:openeuler:openeuler:24.03:LTS:*:*:*:*:*:
- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2306
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU71234
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-46285
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when handling unclosed comments in XPM images within the ParseComment() function. A remote attacker can trick the victim to open a specially crafted image and cause denial of service conditions.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS SP4 - 24.03 LTS
motif-help: before 2.3.8-6
motif-devel: before 2.3.8-6
motif-debugsource: before 2.3.8-6
motif-debuginfo: before 2.3.8-6
motif: before 2.3.8-6
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP4:*:*:*:*:*:
- cpe:2.3:o:openeuler:openeuler:24.03:LTS:*:*:*:*:*:
- cpe:2.3:o:openeuler:openeuler:22.03:LTS SP3:*:*:*:*:*:
http://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2306
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
