Gentoo Bug 219760 - x11-terms/rxvt-unicode < 9.02-r1 X11 Display Security Issue (CVE-2008-1142)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	219760
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Matt Fleming (RETIRED) <mjf@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
rxvt-unicode-9.02-CVE-2008-1142-DISPLAY.patch	rxvt-unicode-9.02-CVE-2008-1142-DISPLAY.patch	patch	René Nussbaumer	2008-05-04 18:46 0000	988 bytes	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 219760 depends on:			Show dependency tree
Bug 219760 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-04-29 19:45 0000

rxvt-unicode is vulnerable to the same X11 Display issue as rxvt,

"The security issue is caused due to the program using ":0" as it's X11 display
if the DISPLAY environment variable is missing. This can be exploited to
execute arbitrary commands with the privileges of the user running rxvt via a
malicious X server."

rxvt bug #217819

------- Comment #1 From Robert Buchholz 2008-05-03 19:06:47 0000 -------

patch is in bug 217819

------- Comment #2 From René Nussbaumer 2008-05-04 18:46:24 0000 -------

Created an attachment (id=151843) [details]
rxvt-unicode-9.02-CVE-2008-1142-DISPLAY.patch

This patch was taken from the rxvt bug report and slightly adapted to the new
environment.

------- Comment #3 From René Nussbaumer 2008-05-04 18:47:02 0000 -------

I've updated the ebuild to 9.02-r1 which includes this patch.

------- Comment #4 From Robert Buchholz 2008-05-04 19:02:05 0000 -------

Arches, please test and mark stable:
=x11-terms/rxvt-unicode-9.02-r1
Target keywords : "alpha amd64 hppa ppc ppc64 release sparc x86"

------- Comment #5 From Jeroen Roovers 2008-05-05 02:27:01 0000 -------

Stable for HPPA.

------- Comment #6 From Raúl Porcel 2008-05-05 11:08:05 0000 -------

alpha/sparc/x86 stable

------- Comment #7 From Markus Rothe 2008-05-05 12:06:26 0000 -------

ppc64 stable

------- Comment #8 From Markus Meier 2008-05-05 20:20:37 0000 -------

amd64 stable

------- Comment #9 From Tobias Scherbaum 2008-05-06 17:33:52 0000 -------

ppc already is marked stable ...

------- Comment #10 From Peter Volkov 2008-05-07 07:08:38 0000 -------

Fixed in release snapshot.

------- Comment #11 From Tobias Heinlein 2008-05-07 18:59:46 0000 -------

GLSA 200805-03

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 219760

x11-terms/rxvt-unicode < 9.02-r1 X11 Display Security Issue (CVE-2008-1142)

Last modified: 2008-05-07 18:59:46 0000