A CVE has been assigned for a security issue described in this thread: https://www.openwall.com/lists/oss-security/2022/01/31/1 I don't believe a fix is available yet. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
No consistent committer for this pkg, so have to assign the bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. (CVE-2022-24130) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24130 https://www.openwall.com/lists/oss-security/2022/01/31/1 ======================== Updated package in core/updates_testing: ======================== xterm-363-1.2.mga8 from SRPM: xterm-363-1.2.mga8.src.rpm
CC: (none) => nicolas.salgueroCVE: (none) => CVE-2022-24130Status: NEW => ASSIGNEDVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugsSource RPM: xterm-368-1.mga9.src.rpm => xterm-363-1.1.mga8.src.rpm
Tested in a VirtualBox Plasma guest. Installed xterm and a dependency, no installation issues. Ran xterm, tried a few commands - launched Firefox and vlc, launched MCC (which asked for the root password). Switched to root, ran systemctl status, then journalctl -ab, then tried MCC again. No issues at all. This looks good. Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0051.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Debian-LTS has issued an advisory for this on February 7: https://www.debian.org/lts/security/2022/dla-2913