On Mon, Aug 11, 2025 at 02:31:59AM +0200, Vincent Lefevre wrote:
> On 2025-08-10 19:55:33 -0400, Thomas Dickey wrote:
> > On Sun, Aug 10, 2025 at 07:37:18PM -0400, Thomas Dickey wrote:
> > > On Mon, Aug 11, 2025 at 01:09:26AM +0200, Vincent Lefevre wrote:
> > > > Package: xterm
> > > > Version: 398-1
> > > > Severity: important
> > > > Tags: security upstream
> > > > X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> > > >
> > > > I've just noticed that it is very easy to make xterm crash with
> > > > some binary data:
> > > >
> > > > /usr/bin/xterm -e 'printf "\x9a\x85\x08"; sleep 2'
> > >
> > > It's not so easy (I don't see it breaking for me, and I don't see
> > > an issue using asan2 or valgrind, in a recompile).
>
> See my other messages about the needed settings.
I didn't notice that. However...
> > ...that was with Debian/testing and 13. Actually current xterm is #401.
>
> I was actually using xterm #401 for the initial crash, but I had to
> go back to #398 for the backtrace with the symbols (#401 is just in
> experimental, where xterm-dbgsym is not available).
>
> I've just upgraded to #401 again. Now
>
> /usr/bin/xterm -e 'printf "\x9a\x85\x08"; sleep 2'
>
> no longer crashes (ditto with -k8 and +k8). But
>
> /usr/bin/xterm -e 'printf "\eZ\n\x08"; sleep 2'
>
> still crashes.
Then it's a bug in reverseWrap (not related to allowC1Printable).
Sure, it's a bug,
reverseWrap (class ReverseWrap)
Specifies whether or not reverse-wraparound should be enabled.
This corresponds to xterm's private mode 45. The default is
“false”.
but it doesn't meet the criteria for "severity important":
important
a bug which has a major effect on the usability of a package, without
rendering it completely unusable to everyone.
(the problem appears to be an incomplete fix for private mode 1045)
--
Thomas E. Dickey <dickey@invisible-island.net>
https://invisible-island.net
Attachment:
signature.asc
Description: PGP signature