Bug#1004689: marked as done (xterm: CVE-2022-24130)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 13 Feb 2022 22:03:46 +0000
with message-id <E1nJMyA-000F2a-L8@fasolo.debian.org>
and subject line Bug#1004689: fixed in xterm 344-1+deb10u2
has caused the Debian Bug report #1004689,
regarding xterm: CVE-2022-24130
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1004689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004689
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: xterm: CVE-2022-24130
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 31 Jan 2022 20:37:03 +0100
• Message-id: <164365782361.1534821.9387587991761637854.reportbug@eldamar.lan>

Source: xterm
Version: 370-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for xterm.

CVE-2022-24130[0]:
| xterm through Patch 370, when Sixel support is enabled, allows
| attackers to trigger a buffer overflow in set_sixel in
| graphics_sixel.c via crafted text.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24130
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24130
[1] https://www.openwall.com/lists/oss-security/2022/01/30/2
[3] https://www.openwall.com/lists/oss-security/2022/01/30/3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1004689-close@bugs.debian.org
• Subject: Bug#1004689: fixed in xterm 344-1+deb10u2
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 13 Feb 2022 22:03:46 +0000
• Message-id: <E1nJMyA-000F2a-L8@fasolo.debian.org>
• Reply-to: Sven Joachim <svenjoac@gmx.de>

Source: xterm
Source-Version: 344-1+deb10u2
Done: Sven Joachim <svenjoac@gmx.de>

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004689@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated xterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Feb 2022 20:05:11 +0100
Source: xterm
Architecture: source
Version: 344-1+deb10u2
Distribution: buster
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Closes: 1004689
Changes:
 xterm (344-1+deb10u2) buster; urgency=medium
 .
   * Cherry-pick sixel graphics fixes from xterm 370d and 370f.
     - Check for out-of-bounds condition while drawing sixels, and quit
       that operation (report by Nick Black (CVE-2022-24130),
       Closes: #1004689).
Checksums-Sha1:
 235b9bd6dede8f1ff3d9e5188a972a5ad023e47c 2438 xterm_344-1+deb10u2.dsc
 660510f2cccad260357f85334ee31ec791887e22 110196 xterm_344-1+deb10u2.debian.tar.xz
 d37b5aeb11c3c179a2d246ef3402ef47a71f71cc 7505 xterm_344-1+deb10u2_source.buildinfo
Checksums-Sha256:
 50fea2596aaefb200a8c58c4cd04221300575d9a0ebd1d1b619a4fde4cf1263d 2438 xterm_344-1+deb10u2.dsc
 39c4368207863d280db6d016fba1e47cbbd87bfd47f3bec722fa357ac5d7a341 110196 xterm_344-1+deb10u2.debian.tar.xz
 5ea7d2ecfbbaee95ad4fd47b09417d07fe1eccaf333338d402b7b5b070308add 7505 xterm_344-1+deb10u2_source.buildinfo
Files:
 197332fc06dcb3bce01c3ab690112f00 2438 x11 optional xterm_344-1+deb10u2.dsc
 c5052506ffe8f8155a670f30c136fdd6 110196 x11 optional xterm_344-1+deb10u2.debian.tar.xz
 bdf0cff90fed0616efc8fafe00888310 7505 x11 optional xterm_344-1+deb10u2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAmIBbtoACgkQOxBucY1r
MawTsw//ZsrcSD5doTYMMyzNsBB65WBrs/Hp+dyRsUiOXUhzv/DMjl4E3F+vNqjW
teYYsqhlr+HDHGVnqs3Ia1WCfTwTXbSYw1CUfSRQYe2/SvIZvAPEUKECQhsZP3SF
ljkIZ1a4UTd3Pyv/ZElGvgQgcu0n2uY80E+9Tc3ejz2b0VIo/71vSVSGeauLn6uZ
7RScZkjQnKeIq4/jWKWSf8z79F+c4oFenvjRbBPaW649b0SKqSZF7ir+3CoNmclh
I+8LniipZ5ivuvw4w+KmmE1VqWga1VDSK2xPPVGH5KDzCWaL4Yl0pZta2CFS385r
h/DnNhl/RvTUgTGtIB5ohKr2OJgnkpjY0NGFGmJZvl0jrvOOBkEmngXcOrRNDSGV
7RjwJqtpy64VNaMxyQQASHdVDD+VaqkRUMLBKA/ZxV5Q9YzE2Xn+d4QvIyAeAVVu
awiyn77kGNWgnJ8hZWGUAz7UK+uGJofCUlyyyCxsvxjp6k7OTRIm86z/1CynJsMg
glBXSOlK9qRU3uKYNFkJ0UXuBc2x68P6o3dK2PjSgtvGF7toYuQ8PL2TuLDdZD4k
YjmXlcuvZdxFR8HlZcxkVVgZre7b2PUh8Ml919NW9B5U5SEe5bNSKN7DEOLnbKxH
Mig/AmcaqwaaylE1YB6Yx+bcAMgy2tK5asf6D+z6N4VRyinPcjE=
=2Pfe
-----END PGP SIGNATURE-----

--- End Message ---