On Mon, Jan 31, 2022 at 08:37:03PM +0100, Salvatore Bonaccorso wrote: > Source: xterm > Version: 370-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> > > Hi, > > The following vulnerability was published for xterm. > > CVE-2022-24130[0]: > | xterm through Patch 370, when Sixel support is enabled, allows > | attackers to trigger a buffer overflow in set_sixel in > | graphics_sixel.c via crafted text. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. changelog as usual reflects the actual report, not a succession of secondhand information. I applied a fix for the issue yesterday, which will be in #371. For backports, do as suggested here: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/x11/xterm/patches/patch-graphics__sixel.c derived from https://github.com/ThomasDickey/xterm-snapshots/blob/master/graphics_sixel.c -- Thomas E. Dickey <dickey@invisible-island.net> https://invisible-island.net ftp://ftp.invisible-island.net
Attachment:
signature.asc
Description: PGP signature