Bug#1004689: marked as done (xterm: CVE-2022-24130)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 13 Feb 2022 22:32:42 +0000
with message-id <E1nJNQA-000077-AM@fasolo.debian.org>
and subject line Bug#1004689: fixed in xterm 366-1+deb11u1
has caused the Debian Bug report #1004689,
regarding xterm: CVE-2022-24130
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1004689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004689
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: xterm: CVE-2022-24130
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Mon, 31 Jan 2022 20:37:03 +0100
• Message-id: <164365782361.1534821.9387587991761637854.reportbug@eldamar.lan>

Source: xterm
Version: 370-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for xterm.

CVE-2022-24130[0]:
| xterm through Patch 370, when Sixel support is enabled, allows
| attackers to trigger a buffer overflow in set_sixel in
| graphics_sixel.c via crafted text.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-24130
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24130
[1] https://www.openwall.com/lists/oss-security/2022/01/30/2
[3] https://www.openwall.com/lists/oss-security/2022/01/30/3

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1004689-close@bugs.debian.org
• Subject: Bug#1004689: fixed in xterm 366-1+deb11u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 13 Feb 2022 22:32:42 +0000
• Message-id: <E1nJNQA-000077-AM@fasolo.debian.org>
• Reply-to: Sven Joachim <svenjoac@gmx.de>

Source: xterm
Source-Version: 366-1+deb11u1
Done: Sven Joachim <svenjoac@gmx.de>

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1004689@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated xterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 07 Feb 2022 20:14:01 +0100
Source: xterm
Architecture: source
Version: 366-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Closes: 1004689
Changes:
 xterm (366-1+deb11u1) bullseye; urgency=medium
 .
   * Cherry-pick sixel graphics fixes from xterm 370d and 370f.
     - Check for out-of-bounds condition while drawing sixels, and quit
       that operation (report by Nick Black (CVE-2022-24130),
       Closes: #1004689).
Checksums-Sha1:
 f1d18a8433b02e5cb2d7d35090ece71224a36d96 2481 xterm_366-1+deb11u1.dsc
 80b3addac434c6a42f4ca7f0a96a66ee36cb2e50 113644 xterm_366-1+deb11u1.debian.tar.xz
 95661743cadfe7766e55d5b0a8f5f0e0bed309d2 7879 xterm_366-1+deb11u1_source.buildinfo
Checksums-Sha256:
 41940c1a8e786b5944ec6f0f8aa7c8e7b97b491df923a4f1ab049b14a2bb95e3 2481 xterm_366-1+deb11u1.dsc
 629110096351c84330d476d63934b3e36f97e1c7fe6334f2f2a07cc5bfaefeec 113644 xterm_366-1+deb11u1.debian.tar.xz
 470c5c9af641c4c814067b77b8e5cb67817bc470a4e093307ea8a926d5303431 7879 xterm_366-1+deb11u1_source.buildinfo
Files:
 dac73f0baae0af3762681774e7a6e420 2481 x11 optional xterm_366-1+deb11u1.dsc
 a01b29755d2ad70d825923a0e9ea7a0a 113644 x11 optional xterm_366-1+deb11u1.debian.tar.xz
 44fced7d57ebbd1ec65a308540a3ca91 7879 x11 optional xterm_366-1+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAmIBcMQACgkQOxBucY1r
MaxSJg/9FGuqDe4TQrJG9s+ktOEMKgND4MXsBUEirV6Y2bB2tvzee7eFk0Kp2rfW
xIVagmG6gvHwwJk0LkRsWbpjTvW3X4sU+PzqjonMQ2E1Sc7oN5oiFR77T53zNFyf
+Km5q5p8j8GrCuawD/ZjLXKCShdQZ0IKEvRSOet9vxsxF62zL36RfMXmR/zkTev9
0tPD0gPMf0BuZslZFgLi1Vtg/7/pU8Md/i5zqk1KgmZVgT+AxNdqvTRtK5qYzggV
2Syzuta+Rb/lXq6GLePqxh8IKbzKRa3ncfNUgt4NbqrcCBGTKEccIA8TGZHNJPr2
pmmT1CVInL6HxSERZVoHFpbHq1T6UH58r9tYrE/flYkl/Zdz5L3a/zCHJ058MkgZ
eiGh9/KmQYgH6AqvFprRaFo+kNpm1ktFMvP9O9QQWdz/Xyvxk22UQl1c8E5yHFR9
eZqtQHL9yyH2Q4FgB34W35QBzFHKgjON0x7HFOD0H4B4c2e8BmU6/TpbUo3eTOck
JhoQJXGObRbpM5T1sLXMtguVXFYia/L8Gnzpkpq76nlffbusTVuNeTipKRskAPwW
vBMfquDwLaJCR8N3VTbk0eXfQMPW2MopeOZZDbBFw2O8LkMj9YLpTmyLfvm8LJ/r
3opSXVwfil2epywIJuCJlvefWF0RlI1XoMU7uhkByvPBm4ThSIo=
=yDxd
-----END PGP SIGNATURE-----

--- End Message ---