[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1110769: marked as done (xterm: segfault in ScrnWriteText with reverseWrap set)

Your message dated Mon, 22 Sep 2025 17:46:25 +0000
with message-id <E1v0kcL-00FNYC-35@fasolo.debian.org>
and subject line Bug#1110769: fixed in xterm 402-1
has caused the Debian Bug report #1110769,
regarding xterm: segfault in ScrnWriteText with reverseWrap set
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110769: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: xterm
Version: 398-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

I've just noticed that it is very easy to make xterm crash with
some binary data:

  /usr/bin/xterm -e 'printf "\x9a\x85\x08"; sleep 2'

The backtrace:

$ gdb /usr/bin/xterm core.2173502
[...]
Core was generated by `/usr/bin/xterm -e printf\ \"\\x9a\\x85\\x08\"\;\ sleep\ 2'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  ScrnWriteText (xw=xw@entry=0x7f64cb324010, offset=offset@entry=0, 
    length=length@entry=36, flags=flags@entry=393216, cur_fg_bg=...)
    at ../screen.c:925
 
warning: 925    ../screen.c: No such file or directory
(gdb) bt
#0  ScrnWriteText (xw=xw@entry=0x7f64cb324010, offset=offset@entry=0, 
    length=length@entry=36, flags=flags@entry=393216, cur_fg_bg=...)
    at ../screen.c:925
#1  0x000055a713b46734 in WriteText (xw=xw@entry=0x7f64cb324010, offset=0, 
    length=length@entry=36) at ../util.c:1201
#2  0x000055a713aeb157 in dotext (xw=xw@entry=0x7f64cb324010, 
    charset=<optimized out>, buf=0x55a714df7d40, len=36) at ../charproc.c:7128
#3  0x000055a713af30af in doparsing (xw=xw@entry=0x7f64cb324010, c=99, 
    sp=<optimized out>) at ../charproc.c:3376
#4  0x000055a713afbe54 in VTparse (xw=xw@entry=0x7f64cb324010)
    at ../charproc.c:6471
#5  0x000055a713afc0a9 in VTRun (xw=0x7f64cb324010) at ../charproc.c:9593
#6  0x000055a713adbb0a in main (argc=<optimized out>, argv=<optimized out>)
    at ../main.c:3113

An attacker could make an xterm crash by providing such a sequence
in a text file. It is generally a bad idea to can untrusted and
unfiltered data to a terminal, but here, the sequence is so simple
that it could pass trough. Or it could be a mistake, as I've just
done (I forgot to remove "-o -" from arguments); this was on several
hundreds of KB of binary data, and I could reduce the testcase to
just 3 bytes.

-- System Information:
Debian Release: 13.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.7.12-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages xterm depends on:
ii  libc6           2.41-12
ii  libfontconfig1  2.15.0-2.3
ii  libfreetype6    2.13.3+dfsg-1
ii  libice6         2:1.1.1-1
ii  libtinfo6       6.5+20250216-2
ii  libutempter0    1.2.1-4
ii  libx11-6        2:1.8.12-1
ii  libxaw7         2:1.0.16-1
ii  libxext6        2:1.3.4-1+b3
ii  libxft2         2.3.6-1+b4
ii  libxinerama1    2:1.1.4-3+b4
ii  libxmu6         2:1.1.3-3+b4
ii  libxpm4         1:3.5.17-1+b3
ii  libxt6t64       1:1.2.1-1.2+b2
ii  xbitmaps        1.1.1-2.2

Versions of packages xterm recommends:
ii  luit [luit]  2.0.20240910-1
ii  x11-utils    7.7+7

Versions of packages xterm suggests:
pn  xfonts-cyrillic  <none>

-- no debconf information

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

--- End Message ---
--- Begin Message --- 
Source: xterm
Source-Version: 402-1
Done: Sven Joachim <svenjoac@gmx.de>

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1110769@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Joachim <svenjoac@gmx.de> (supplier of updated xterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 22 Sep 2025 19:07:08 +0200
Source: xterm
Architecture: source
Version: 402-1
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Sven Joachim <svenjoac@gmx.de>
Closes: 1110769
Changes:
 xterm (402-1) unstable; urgency=medium
 .
   * New upstream release.
     - Add a null-pointer check in ScrnWriteText (Closes: #1110769).
   * Refresh Debian patches.
   * Update copy of XTerm FAQ to revision 1.432 (dated 2025/04/07).
Checksums-Sha1:
 e3705db7100ddda3074c265bb4a87c3d5b7f2c22 2397 xterm_402-1.dsc
 924b81086e83dcd1ab8d9205b139ecda9546fd0f 1612990 xterm_402.orig.tar.gz
 b4bb8d69057b633d556d9d2c3aa72573cc2db8a3 729 xterm_402.orig.tar.gz.asc
 dd30be0f24638270e0e94f05c52055d08522b991 125496 xterm_402-1.debian.tar.xz
 937a0e8617256f44d34b312d8f0221bbf0ee1bfe 7614 xterm_402-1_source.buildinfo
Checksums-Sha256:
 b73c4fe890cf4b4c0fa25f79c0748b0e71b3650d750894a150aee15b62712958 2397 xterm_402-1.dsc
 5260c5793cd564c69e53ef6f528c00af066ae67b42d02137fb7ef8fafe70bb7a 1612990 xterm_402.orig.tar.gz
 ca977af99197342d54a6f6a03f7632a952d9ed3216a0e55e41506f219ebebb1a 729 xterm_402.orig.tar.gz.asc
 44ba648522ddc8ab162a2c6c069478f0f628f0c181f7dc1d41044851982daf22 125496 xterm_402-1.debian.tar.xz
 239954b857ab5aaad6d299599e4ea624dc6f7db1746252b0f773e9e22d9329da 7614 xterm_402-1_source.buildinfo
Files:
 6e42701629225921542c81e67aa5d431 2397 x11 optional xterm_402-1.dsc
 9df3b113016c008c9ba01f7b808ca8a9 1612990 x11 optional xterm_402.orig.tar.gz
 421cfa42b3a52fe1b2be233cd9e355bd 729 x11 optional xterm_402.orig.tar.gz.asc
 2ffef4c176d6c63c33dcccabf48eed1e 125496 x11 optional xterm_402-1.debian.tar.xz
 06814d008972fe9e1f2368d9348b007e 7614 x11 optional xterm_402-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAmjRgqAACgkQOxBucY1r
MayG8g/+OW5hq2e707LwU4L9r8KDIzq+dZ5AnwZMq8AK+eIifzZZkQhgCDHPyFfs
SEai3J8RnVoSwXi6GQhSs7qSstuUrGmYI0EeWlJPyHWVPzsZUpixmyabVTae1XLy
QSwHSxvg/FTJOoCAZdNrCTngdfJb5pUAD7oEPch0vjaYTiZrS3Sd3sp/gVdOdZdt
aN4lYCR7OAt/pKJ1GnACD2X0XlhJbLEzicWmqtM5WL3GqbQpMKrLzkjTr56ZrgJs
yL4dE3/5CSe9oeXkhBG6dqViQ48lIpKA/ONtOKXrP89ulTeKnssSsWjtW/gjTQA1
jgYbLjc48vV3biJFa0F7zPvcXESHrrzDLTWIFmV7C62UUon29ETR76o8x8gQO9U3
fnriOCFsk83CW4MiXsFMaHQU/XdTChDEdZqT8w7jvUhDG61qtnzwl4JF3LVEh9xQ
Al0344dRFjW88LjJQNumay+AYR/wgvjVJbgtDjbP0ABm8nVcX69R9/2yiUa630gF
kvTOHOocOUAOHpDQrfiPMKLEuanEeSTUntghblE3UyTJG7NSFPHSJ5Kv02Y6ZM17
Ev7viNFxS2LAuKRGw1vNsPUIkqbCmn9YzWFXrWYd4K+3ZxMj03Ak0bD9tYb2pdjL
q9S3QdQrmbDf70sE4OlyYXWyKAvL+T7JYJLVKVqB7lnIhLSDwCI=
=pwMk
-----END PGP SIGNATURE-----

Attachment: pgpTv9aI3U7s9.pgp
Description: PGP signature


--- End Message ---
Reply to: