Bug 29975

Summary: xterm new security issue CVE-2022-24130
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: xterm-363-1.1.mga8.src.rpm CVE: CVE-2022-24130
Status comment:

Description David Walser 2022-01-31 14:40:51 CET 
A CVE has been assigned for a security issue described in this thread:
https://www.openwall.com/lists/oss-security/2022/01/31/1

I don't believe a fix is available yet.

Mageia 8 is also affected.
David Walser 2022-01-31 14:40:59 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-31 20:47:03 CET 
No consistent committer for this pkg, so have to assign the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-02-04 09:10:47 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. (CVE-2022-24130)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24130
https://www.openwall.com/lists/oss-security/2022/01/31/1
========================

Updated package in core/updates_testing:
========================
xterm-363-1.2.mga8

from SRPM:
xterm-363-1.2.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-24130
Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: xterm-368-1.mga9.src.rpm => xterm-363-1.1.mga8.src.rpm

Comment 3 Thomas Andrews 2022-02-05 01:10:30 CET 
Tested in a VirtualBox Plasma guest. Installed xterm and a dependency, no installation issues.

Ran xterm, tried a few commands - launched Firefox and vlc, launched MCC (which asked for the root password). Switched to root, ran systemctl status, then journalctl -ab, then tried MCC again. No issues at all.

This looks good. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-02-05 19:36:15 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-02-05 21:24:17 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0051.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2022-02-08 22:16:24 CET 
Debian-LTS has issued an advisory for this on February 7:
https://www.debian.org/lts/security/2022/dla-2913