| Message ID | 20221119134510.826956-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/xterm: security bump to patch 376 | expand |
Peter, All On 2022-11-19 14:45 +0100, Peter Korsgaard spake thusly: > Fixes the following security issue: > > CVE-2022-45063: xterm before 375 allows code execution via font ops, e.g., > because an OSC 50 response may have Ctrl-g and therefore lead to command > execution within the vi line-editing mode of Zsh: > > https://www.openwall.com/lists/oss-security/2022/11/10/1 > > Additionally, patch 376 fixes a null pointer access issue: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022942 > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/xterm/xterm.hash | 2 +- > package/xterm/xterm.mk | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/xterm/xterm.hash b/package/xterm/xterm.hash > index 3f6ec765ce..12cd2e639b 100644 > --- a/package/xterm/xterm.hash > +++ b/package/xterm/xterm.hash > @@ -1,4 +1,4 @@ > # Locally calculated after checking pgp signature > -sha256 32f888277b19e28ebc0a3112bff000607c07bed0679caa0beebb36f9cad484f5 xterm-371.tgz > +sha256 1e5bb7aad068fb31d6d3cbb77f80c7ad1526cd4c956a4ddcf2c5cf28af5334e1 xterm-376.tgz > # Locally calculated > sha256 9521ef761474cd31ea406f56a751646a7b42a9287cdc6f2f8e52ed4c4d2a73e7 COPYING > diff --git a/package/xterm/xterm.mk b/package/xterm/xterm.mk > index 95984f1cf9..d01b608d99 100644 > --- a/package/xterm/xterm.mk > +++ b/package/xterm/xterm.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -XTERM_VERSION = 371 > +XTERM_VERSION = 376 > XTERM_SOURCE = xterm-$(XTERM_VERSION).tgz > XTERM_SITE = http://invisible-mirror.net/archives/xterm > XTERM_DEPENDENCIES = ncurses xlib_libXaw host-pkgconf > -- > 2.30.2 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > CVE-2022-45063: xterm before 375 allows code execution via font ops, e.g., > because an OSC 50 response may have Ctrl-g and therefore lead to command > execution within the vi line-editing mode of Zsh: > https://www.openwall.com/lists/oss-security/2022/11/10/1 > Additionally, patch 376 fixes a null pointer access issue: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022942 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2022.08.x and 2022.02.x, thanks.
diff --git a/package/xterm/xterm.hash b/package/xterm/xterm.hash index 3f6ec765ce..12cd2e639b 100644 --- a/package/xterm/xterm.hash +++ b/package/xterm/xterm.hash @@ -1,4 +1,4 @@ # Locally calculated after checking pgp signature -sha256 32f888277b19e28ebc0a3112bff000607c07bed0679caa0beebb36f9cad484f5 xterm-371.tgz +sha256 1e5bb7aad068fb31d6d3cbb77f80c7ad1526cd4c956a4ddcf2c5cf28af5334e1 xterm-376.tgz # Locally calculated sha256 9521ef761474cd31ea406f56a751646a7b42a9287cdc6f2f8e52ed4c4d2a73e7 COPYING diff --git a/package/xterm/xterm.mk b/package/xterm/xterm.mk index 95984f1cf9..d01b608d99 100644 --- a/package/xterm/xterm.mk +++ b/package/xterm/xterm.mk @@ -4,7 +4,7 @@ # ################################################################################ -XTERM_VERSION = 371 +XTERM_VERSION = 376 XTERM_SOURCE = xterm-$(XTERM_VERSION).tgz XTERM_SITE = http://invisible-mirror.net/archives/xterm XTERM_DEPENDENCIES = ncurses xlib_libXaw host-pkgconf
Fixes the following security issue: CVE-2022-45063: xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh: https://www.openwall.com/lists/oss-security/2022/11/10/1 Additionally, patch 376 fixes a null pointer access issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022942 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/xterm/xterm.hash | 2 +- package/xterm/xterm.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)