Security update for xterm SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0582-1 Final 1 1 2023-02-28T17:12:51Z current 2023-02-28T17:12:51Z 2023-02-28T17:12:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for xterm This update for xterm fixes the following issues: - CVE-2022-45063: Fixed command injection in ESC 50 fontoperation by disabling the change font functionality (bsc#1205305). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-SAP-BYOS-2023-582,Image SLES12-SP5-Azure-SAP-On-Demand-2023-582,Image SLES12-SP5-EC2-SAP-BYOS-2023-582,Image SLES12-SP5-EC2-SAP-On-Demand-2023-582,Image SLES12-SP5-GCE-SAP-BYOS-2023-582,Image SLES12-SP5-GCE-SAP-On-Demand-2023-582,Image SLES12-SP5-SAP-Azure-LI-BYOS-Production-2023-582,Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production-2023-582,SUSE-2023-582,SUSE-OpenStack-Cloud-9-2023-582,SUSE-OpenStack-Cloud-Crowbar-9-2023-582,SUSE-SLE-SAP-12-SP4-2023-582,SUSE-SLE-SERVER-12-SP2-BCL-2023-582,SUSE-SLE-SERVER-12-SP4-ESPOS-2023-582,SUSE-SLE-SERVER-12-SP4-LTSS-2023-582,SUSE-SLE-SERVER-12-SP5-2023-582 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230582-1/ Link for SUSE-SU-2023:0582-1 https://lists.suse.com/pipermail/sle-security-updates/2023-February/013932.html E-Mail link for SUSE-SU-2023:0582-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1205305 SUSE Bug 1205305 https://www.suse.com/security/cve/CVE-2022-45063/ SUSE CVE CVE-2022-45063 page Image SLES12-SP5-Azure-SAP-BYOS Image SLES12-SP5-Azure-SAP-On-Demand Image SLES12-SP5-EC2-SAP-BYOS Image SLES12-SP5-EC2-SAP-On-Demand Image SLES12-SP5-GCE-SAP-BYOS Image SLES12-SP5-GCE-SAP-On-Demand Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 xterm-308-5.9.1 xterm-308-5.9.1 as a component of Image SLES12-SP5-Azure-SAP-BYOS xterm-308-5.9.1 as a component of Image SLES12-SP5-Azure-SAP-On-Demand xterm-308-5.9.1 as a component of Image SLES12-SP5-EC2-SAP-BYOS xterm-308-5.9.1 as a component of Image SLES12-SP5-EC2-SAP-On-Demand xterm-308-5.9.1 as a component of Image SLES12-SP5-GCE-SAP-BYOS xterm-308-5.9.1 as a component of Image SLES12-SP5-GCE-SAP-On-Demand xterm-308-5.9.1 as a component of Image SLES12-SP5-SAP-Azure-LI-BYOS-Production xterm-308-5.9.1 as a component of Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production xterm-308-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL xterm-308-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS xterm-308-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS xterm-308-5.9.1 as a component of SUSE Linux Enterprise Server 12 SP5 xterm-308-5.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 xterm-308-5.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 xterm-308-5.9.1 as a component of SUSE OpenStack Cloud 9 xterm-308-5.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions. CVE-2022-45063 Image SLES12-SP5-Azure-SAP-BYOS:xterm-308-5.9.1 Image SLES12-SP5-Azure-SAP-On-Demand:xterm-308-5.9.1 Image SLES12-SP5-EC2-SAP-BYOS:xterm-308-5.9.1 Image SLES12-SP5-EC2-SAP-On-Demand:xterm-308-5.9.1 Image SLES12-SP5-GCE-SAP-BYOS:xterm-308-5.9.1 Image SLES12-SP5-GCE-SAP-On-Demand:xterm-308-5.9.1 Image SLES12-SP5-SAP-Azure-LI-BYOS-Production:xterm-308-5.9.1 Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production:xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP2-BCL:xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:xterm-308-5.9.1 SUSE Linux Enterprise Server 12 SP5:xterm-308-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:xterm-308-5.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:xterm-308-5.9.1 SUSE OpenStack Cloud 9:xterm-308-5.9.1 SUSE OpenStack Cloud Crowbar 9:xterm-308-5.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230582-1/ https://www.suse.com/security/cve/CVE-2022-45063.html CVE-2022-45063 https://bugzilla.suse.com/1205305 SUSE Bug 1205305 https://bugzilla.suse.com/1211577 SUSE Bug 1211577