| Name | CVE-2023-40359 |
| Description | xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| xterm (PTS) | jessie, jessie (lts) | 312-2+deb8u4 | vulnerable |
| stretch (security), stretch (lts), stretch | 327-2+deb9u3 | vulnerable |
| buster | 344-1+deb10u2 | vulnerable |
| bullseye | 366-1+deb11u1 | vulnerable |
| bookworm | 379-1 | vulnerable |
| sid, trixie | 390-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| xterm | source | (unstable) | 382-2 | unimportant | | |
Notes
https://invisible-island.net/xterm/xterm.log.html#xterm_380
ReGIS support not enabled in Debian builds
[stretch] - xterm <no-dsa> (Minor issue)
[jessie] - xterm <no-dsa> (Minor issue)