Bug 29975 - xterm new security issue CVE-2022-24130
Summary: xterm new security issue CVE-2022-24130
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-31 14:40 CET by David Walser
Modified: 2022-02-08 22:16 CET (History)
4 users (show)

See Also:
Source RPM: xterm-363-1.1.mga8.src.rpm
CVE: CVE-2022-24130
Status comment:


Attachments

Description David Walser 2022-01-31 14:40:51 CET
A CVE has been assigned for a security issue described in this thread:
https://www.openwall.com/lists/oss-security/2022/01/31/1

I don't believe a fix is available yet.

Mageia 8 is also affected.
David Walser 2022-01-31 14:40:59 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-31 20:47:03 CET
No consistent committer for this pkg, so have to assign the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-02-04 09:10:47 CET
Suggested advisory:
========================

The updated package fixes a security vulnerability:

xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. (CVE-2022-24130)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24130
https://www.openwall.com/lists/oss-security/2022/01/31/1
========================

Updated package in core/updates_testing:
========================
xterm-363-1.2.mga8

from SRPM:
xterm-363-1.2.mga8.src.rpm

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-24130
Status: NEW => ASSIGNED
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: xterm-368-1.mga9.src.rpm => xterm-363-1.1.mga8.src.rpm

Comment 3 Thomas Andrews 2022-02-05 01:10:30 CET
Tested in a VirtualBox Plasma guest. Installed xterm and a dependency, no installation issues.

Ran xterm, tried a few commands - launched Firefox and vlc, launched MCC (which asked for the root password). Switched to root, ran systemctl status, then journalctl -ab, then tried MCC again. No issues at all.

This looks good. Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-02-05 19:36:15 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-02-05 21:24:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0051.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2022-02-08 22:16:24 CET
Debian-LTS has issued an advisory for this on February 7:
https://www.debian.org/lts/security/2022/dla-2913

Note You need to log in before you can comment on or make changes to this bug.