31498 – tmux new security issue CVE-2022-47016

Bug 31498 - tmux new security issue CVE-2022-47016

Summary: tmux new security issue CVE-2022-47016

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-02-01 18:21 CET by David Walser
Modified:	2023-03-11 20:01 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	tmux-3.1c-1.mga8.src.rpm
CVE:	CVE-2022-47016
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-01 18:21:31 CET

SUSE has issued an advisory today (February 1):
https://lists.suse.com/pipermail/sle-security-updates/2023-February/013614.html

Mageia 8 is also affected.

David Walser 2023-02-01 18:22:05 CET

Status comment: (none) => Patch available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2023-02-01 18:26:48 CET

openSUSE reference:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RLXFZY2LCNARDYLW75IRAC42GRUF4DMZ/

Comment 2 Marja Van Waes 2023-02-04 22:21:08 CET

Assigning to our tmux maintainer.

Assignee: bugsquad => cooker
CC: (none) => marja11

Comment 3 David Walser 2023-02-07 17:08:58 CET

Ubuntu has issued an advisory for this on February 6:
https://ubuntu.com/security/notices/USN-5843-1

Severity: normal => major

Comment 4 Nicolas Salguero 2023-03-10 15:29:58 CET

Suggested advisory:
========================

The updated package fixes a security vulnerability:

Fixed a null pointer dereference in window.c. (CVE-2022-47016)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47016
https://lists.suse.com/pipermail/sle-security-updates/2023-February/013614.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RLXFZY2LCNARDYLW75IRAC42GRUF4DMZ/
https://ubuntu.com/security/notices/USN-5843-1
========================

Updated package in core/updates_testing:
========================
tmux-3.1c-1.1.mga8

from SRPM:
tmux-3.1c-1.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 8
Source RPM: tmux-3.3a-1.mga9.src.rpm => tmux-3.1c-1.mga8.src.rpm
Status comment: Patch available from upstream => (none)
Assignee: cooker => qa-bugs
CVE: (none) => CVE-2022-47016

Comment 5 Thomas Andrews 2023-03-11 00:11:19 CET

MGA8-64 Plasma session in VirtualBox: No installation issues.

Previous updates offered little help, so I sought guidance with DuckDuckGo, and found https://www.howtogeek.com/671422/how-to-use-tmux-on-linux-and-why-its-better-than-screen/

I tried several of the basic commands from the tutorial, with no issues. 

Giving this an OK, and validating. Advisory in comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-03-11 00:31:24 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2023-03-11 20:01:57 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0084.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.