Bug 28391

Summary:	xterm new security issue CVE-2021-27135
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27135
See Also:	https://bugs.mageia.org/show_bug.cgi?id=28390
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Source RPM:	xterm-363-1.mga8.src.rpm	CVE:	CVE-2021-27135
Status comment:

Description David Walser 2021-02-20 18:52:34 CET

CVE-2021-27135 has been assigned for a security issue discussed in this thread:
https://www.openwall.com/lists/oss-security/2021/02/10/7

The issue has been fixed upstream in 366:
https://invisible-island.net/xterm/xterm.log.html#xterm_366

Mageia 7 and Mageia 8 are also affected.

David Walser 2021-02-20 18:52:52 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28390
Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 366

Comment 1 David Walser 2021-02-20 19:19:44 CET

RedHat has issued an advisory for this on February 18:
https://access.redhat.com/errata/RHSA-2021:0611

Severity: normal => critical

Comment 2 Lewis Smith 2021-02-20 20:15:56 CET

Assigning to you Shlomi because you did several new versions recently. Bounce it if you are not happy about this.

Assignee: bugsquad => shlomif

Comment 3 Aurelien Oudelet 2021-02-20 20:49:44 CET

Sorry, Rindolf is no longer a Mageia's packager.
Assigning to all packagers.

CC: (none) => ouaurelien
Assignee: shlomif => pkg-bugs

Comment 4 David Walser 2021-02-26 17:19:34 CET

Debian-LTS has issued an advisory for this on February 13:
https://www.debian.org/lts/security/2021/dla-2558

Comment 5 David Walser 2021-02-26 19:34:37 CET

Ubuntu has issued an advisory for this on February 24:
https://ubuntu.com/security/notices/USN-4746-1

Comment 6 David Walser 2021-02-27 20:22:37 CET

Fedora has issued an advisory for this on February 26:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/

Comment 7 Nicolas Lécureuil 2021-02-27 23:15:32 CET

fixed in mga7/8

src:

   - xterm-344-1.1.mga7
   - xterm-363-1.1.mga8

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 366 => (none)
CC: (none) => mageia

David Walser 2021-02-27 23:42:13 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 8 Manuel Hiebel 2021-02-28 19:44:20 CET

mga8, no issue

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 9 Len Lawrence 2021-02-28 20:26:11 CET

mga7, x64

Before update tried typing special characters generated by combining AltGrey-Control and AltGrey-Shift with a number/letter key and found no problem.  Also tried cut-and-paste from a special character table.

Updated xterm and repeated the tests.  No regressions.

Whiteboard: MGA7TOO MGA8-64-OK => MGA7-64-OK MGA8-64-OK
CC: (none) => tarazed25

Comment 10 Aurelien Oudelet 2021-02-28 22:50:17 CET

We must leave MGA7TOO untouched in whiteboard to have http://madb.mageia.org/tools/updates/application/ displaying correctly updates for Mageia 7 and Mageia 8.

Whiteboard: MGA7-64-OK MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 11 Len Lawrence 2021-03-01 01:11:03 CET

Thanks for the correction Aurelien.

Comment 12 Thomas Andrews 2021-03-01 14:40:39 CET

Thank you, Gentlemen. Validating. I don't see any advisory information other than the links from other distros.

CC: (none) => andrewsfarm

Thomas Andrews 2021-03-01 14:43:19 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Aurelien Oudelet 2021-03-01 15:15:51 CET Comment hidden (obsolete)

Advisory:
========================

Updated xterm package fixes security vulnerability:

xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. (CVE-2021-27135).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27135
https://ubuntu.com/security/notices/USN-4746-1
https://www.debian.org/lts/security/2021/dla-2558
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/
========================

Updated packages in core/updates_testing:
========================
xterm-344-1.1.mga7
from SRMP .src.rpm

And:
xterm-363-1.1.mga8
from SRPM xterm-363-1.1.mga8.src.rpm

URL: (none) => https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27135
Keywords: (none) => advisory
CVE: (none) => CVE-2021-27135

Comment 14 Aurelien Oudelet 2021-03-01 16:17:58 CET

Fixing a typo.

Advisory:
========================

Updated xterm package fixes security vulnerability:

xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence. (CVE-2021-27135).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27135
https://ubuntu.com/security/notices/USN-4746-1
https://www.debian.org/lts/security/2021/dla-2558
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/
========================

Updated packages in core/updates_testing:
========================
xterm-344-1.1.mga7
from SRMP xterm-344-1.1.mga7.src.rpm

And:
xterm-363-1.1.mga8
from SRPM xterm-363-1.1.mga8.src.rpm

Comment 15 Mageia Robot 2021-03-02 23:35:19 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0094.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED