Your message dated Sat, 26 Mar 2022 11:59:13 +0000 with message-id <c4d20274f6d76a43fb574d2177f6e3af4235e4be.ca...@adam-barratt.org.uk> and subject line Closing p-u requests for updates in 11.3 has caused the Debian Bug report #1005232, regarding bullseye-pu: package xterm/366-1+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1005232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005232 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu I have uploaded xterm 366-1+deb11u1 to fix #1004689 aka CVE-2022-24130 in bullseye. [ Reason ] CVE-2022-24130: xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text. [ Impact ] An attacker could cause xterm to crash or possibly do worse things, e.g. by luring the victim to cat(1) a specially crafted file. In its default configuration xterm does not interpret Sixel graphics, the user needs to set the decTerminalID resource to a non-standard value or invoke xterm with the -ti switch to enable Sixel support and become vulnerable. [ Tests ] I have verified that the testcase at [1] no longer causes a crash with the attached patch. [ Risks ] No official upstream release has been made yet, but the issue has been addressed in current snapshots at [2]. The patch has been taken from there and is identical to the one that went into xterm 370-2, currently in unstable and testing. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Cheers, Sven 1. https://www.openwall.com/lists/oss-security/2022/01/30/3 2. https://github.com/ThomasDickey/xterm-snapshots/diff -Nru xterm-366/debian/changelog xterm-366/debian/changelog --- xterm-366/debian/changelog 2021-02-11 10:31:09.000000000 +0100 +++ xterm-366/debian/changelog 2022-02-07 20:14:01.000000000 +0100 @@ -1,3 +1,12 @@ +xterm (366-1+deb11u1) bullseye; urgency=medium + + * Cherry-pick sixel graphics fixes from xterm 370d and 370f. + - Check for out-of-bounds condition while drawing sixels, and quit + that operation (report by Nick Black (CVE-2022-24130), + Closes: #1004689). + + -- Sven Joachim <svenj...@gmx.de> Mon, 07 Feb 2022 20:14:01 +0100 + xterm (366-1) unstable; urgency=medium * New upstream release diff -Nru xterm-366/debian/patches/CVE-2022-24130.diff xterm-366/debian/patches/CVE-2022-24130.diff --- xterm-366/debian/patches/CVE-2022-24130.diff 1970-01-01 01:00:00.000000000 +0100 +++ xterm-366/debian/patches/CVE-2022-24130.diff 2022-02-07 20:12:57.000000000 +0100 @@ -0,0 +1,73 @@ +Description: Cherry-pick sixel graphics fixes from xterm 370d and 370f + Check for out-of-bounds condition while drawing sixels, and quit that + operation (report by Nick Black, CVE-2022-24130). +Bug-Debian: https://bugs.debian.org/1004689 + +--- + graphics_sixel.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/graphics_sixel.c ++++ b/graphics_sixel.c +@@ -149,7 +149,7 @@ init_sixel_background(Graphic *graphic, + graphic->color_registers_used[context->background] = 1; + } + +-static void ++static Boolean + set_sixel(Graphic *graphic, SixelContext const *context, int sixel) + { + const int mh = graphic->max_height; +@@ -170,7 +170,10 @@ set_sixel(Graphic *graphic, SixelContext + ((color != COLOR_HOLE) + ? (unsigned) graphic->color_registers[color].b : 0U))); + for (pix = 0; pix < 6; pix++) { +- if (context->col < mw && context->row + pix < mh) { ++ if (context->col >= 0 && ++ context->col < mw && ++ context->row + pix >= 0 && ++ context->row + pix < mh) { + if (sixel & (1 << pix)) { + if (context->col + 1 > graphic->actual_width) { + graphic->actual_width = context->col + 1; +@@ -183,8 +186,10 @@ set_sixel(Graphic *graphic, SixelContext + } + } else { + TRACE(("sixel pixel %d out of bounds\n", pix)); ++ return False; + } + } ++ return True; + } + + static void +@@ -462,8 +467,12 @@ parse_sixel(XtermWidget xw, ANSI *params + init_sixel_background(graphic, &context); + graphic->valid = 1; + } +- if (sixel) +- set_sixel(graphic, &context, sixel); ++ if (sixel) { ++ if (!set_sixel(graphic, &context, sixel)) { ++ context.col = 0; ++ break; ++ } ++ } + context.col++; + } else if (ch == '$') { /* DECGCR */ + /* ignore DECCRNLM in sixel mode */ +@@ -531,8 +540,12 @@ parse_sixel(XtermWidget xw, ANSI *params + if (sixel) { + int i; + for (i = 0; i < Pcount; i++) { +- set_sixel(graphic, &context, sixel); +- context.col++; ++ if (set_sixel(graphic, &context, sixel)) { ++ context.col++; ++ } else { ++ context.col = 0; ++ break; ++ } + } + } else { + context.col += Pcount; diff -Nru xterm-366/debian/patches/series xterm-366/debian/patches/series --- xterm-366/debian/patches/series 2021-02-11 10:28:06.000000000 +0100 +++ xterm-366/debian/patches/series 2022-02-07 20:12:57.000000000 +0100 @@ -1,3 +1,4 @@ 900_debian_xterm.diff 902_windowops.diff 904_fontops.diff +CVE-2022-24130.diff
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---Package: release.debian.org Version: 11.3 Hi, The updates referenced by these bugs were included in stable as part of this morning's 11.3 point release. Regards, Adam
--- End Message ---
