CVE-2023-40359

NameCVE-2023-40359
Descriptionxterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xterm (PTS)buster344-1+deb10u2vulnerable
bullseye366-1+deb11u1vulnerable
bookworm379-1vulnerable
trixie391-1fixed
sid392-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xtermsource(unstable)382-2unimportant

Notes

https://invisible-island.net/xterm/xterm.log.html#xterm_380
ReGIS support not enabled in Debian builds

Search for package or bug name: Reporting problems