Bug#1004689: Bug #1004689: xterm: CVE-2022-24130
On 2022-02-07 14:44 -0500, Chris Frey wrote: > Just curious why this bug is marked high priority for stretch but > low priority for buster and bullseye? > > https://tracker.debian.org/pkg/xterm > > Is there something different in their builds? No, not really. The security team has decided not to issue a DSA for the problem, so it will need to be fixed in a point release; I am preparing uploads to bullseye and buster, Debian stretch is maintained by the LTS team, and there are no point releases anymore, so all uploads go through the security archive. The same already happened for #982439 aka CVE-2021-27135. Hope this explains the discrepancy. Cheers, Sven
Bug#1004689: Bug #1004689: xterm: CVE-2022-24130
Just curious why this bug is marked high priority for stretch but low priority for buster and bullseye? https://tracker.debian.org/pkg/xterm Is there something different in their builds? Thanks, - Chris
Bug#1004689: xterm: CVE-2022-24130
On Mon, Jan 31, 2022 at 08:37:03PM +0100, Salvatore Bonaccorso wrote: > Source: xterm > Version: 370-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerability was published for xterm. > > CVE-2022-24130[0]: > | xterm through Patch 370, when Sixel support is enabled, allows > | attackers to trigger a buffer overflow in set_sixel in > | graphics_sixel.c via crafted text. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. changelog as usual reflects the actual report, not a succession of secondhand information. I applied a fix for the issue yesterday, which will be in #371. For backports, do as suggested here: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/x11/xterm/patches/patch-graphics__sixel.c derived from https://github.com/ThomasDickey/xterm-snapshots/blob/master/graphics_sixel.c -- Thomas E. Dickey https://invisible-island.net ftp://ftp.invisible-island.net signature.asc Description: PGP signature
Bug#1004689: xterm: CVE-2022-24130
Source: xterm Version: 370-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for xterm. CVE-2022-24130[0]: | xterm through Patch 370, when Sixel support is enabled, allows | attackers to trigger a buffer overflow in set_sixel in | graphics_sixel.c via crafted text. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24130 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24130 [1] https://www.openwall.com/lists/oss-security/2022/01/30/2 [3] https://www.openwall.com/lists/oss-security/2022/01/30/3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore