Bugzilla – Bug 1214282
VUL-0: CVE-2023-40359: xterm: xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters
Last modified: 2024-04-29 03:41:26 UTC
CVE-2023-40359 xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-40359 https://www.cve.org/CVERecord?id=CVE-2023-40359 https://invisible-island.net/xterm/xterm.log.html#xterm_380
spent some time now. maintainer rewrote parts of the regis code. lets see how to backport.
Created attachment 869542 [details] 0001-snapshot-of-project-xterm-label-xterm-379c.patch 0001-snapshot-of-project-xterm-label-xterm-379c.patch this snapshot has 2 fix sets, one for this issue, and a unrelated one in WriteNow macro
This is an autogenerated message for OBS integration: This bug (1214282) was mentioned in https://build.opensuse.org/request/show/1111588 Factory / xterm
SUSE-SU-2023:4438-1: An update that solves one vulnerability can now be installed. Category: security (low) Bug References: 1214282 CVE References: CVE-2023-40359 Sources used: openSUSE Leap 15.4 (src): xterm-330-150200.11.12.1 openSUSE Leap 15.5 (src): xterm-330-150200.11.12.1 Basesystem Module 15-SP4 (src): xterm-330-150200.11.12.1 Basesystem Module 15-SP5 (src): xterm-330-150200.11.12.1 SUSE Manager Proxy 4.2 (src): xterm-330-150200.11.12.1 SUSE Manager Retail Branch Server 4.2 (src): xterm-330-150200.11.12.1 SUSE Manager Server 4.2 (src): xterm-330-150200.11.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.