A crash was reported in xterm prior to patch #366 when processing a specially crafted sequence of combining characters. The cause is an out of bounds write, which may be exploitable to cause arbitrary code execution. https://www.openwall.com/lists/oss-security/2021/02/09/7 https://invisible-island.net/xterm/xterm.log.html
Created xterm tracking bugs for this issue: Affects: fedora-all [bug 1927570]
Mitigation: This vulnerability can be mitigated by disabling UTF-8 support in XTerm configuration. An entry such as "XTerm.vt100.utf8: false" in Xresources will disable UTF-8. This can be set as a system default in /etc/X11/Xresources, or per-user in ~/.Xresources. Note that this setting can still be overridden if xterm is invoked with the "-u8" command line option, so the mitigation may not protect all use cases.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0611 https://access.redhat.com/errata/RHSA-2021:0611
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27135
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0617 https://access.redhat.com/errata/RHSA-2021:0617
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0650 https://access.redhat.com/errata/RHSA-2021:0650
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0651 https://access.redhat.com/errata/RHSA-2021:0651