Terminology in versions below 1.3.1 (this affects the stable version in portage, 1.1.1 as well as unstable, 1.3.0) is vulnerable to remote code execution, due to a bug in the media-popup escape sequence handling. This is a critical security vulnerability, so it would be wise to bump terminology to 1.3.1 and remove or mask the older version. The terminology 1.1 series is not maintained by upstream and will not receive any fixes. https://nvd.nist.gov/vuln/detail/CVE-2018-20167
Correction: Terminology 1.3.2 is just out, fixing a regression in 1.3.1.
Thanks, I'm enjoying a holiday so haven't read any news lately. I'll try to get it fixed ASAP.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e8f99fdfca0c36420ca2841382b79369752e534 commit 4e8f99fdfca0c36420ca2841382b79369752e534 Author: Joonas Niilola <juippis@gmail.com> AuthorDate: 2018-12-19 07:35:36 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2018-12-19 09:25:33 +0000 x11-terms/terminology: bump to 1.3.2 (CVE-2018-20167) - https://nvd.nist.gov/vuln/detail/CVE-2018-20167 Bug: https://bugs.gentoo.org/673404 Package-Manager: Portage[mgorny]-2.3.51.1 Closes: https://github.com/gentoo/gentoo/pull/10663 Signed-off-by: Joonas Niilola <juippis@gmail.com> Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> x11-terms/terminology/Manifest | 1 + x11-terms/terminology/terminology-1.3.2.ebuild | 35 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+)
Maintainer, please call for stabilisation when you think it is ready.
Please stabilize =x11-terms/terminology-1.3.2 on amd64 and x86. Codebase hasn't changed much since 1.2.0 and there hasn't been any bug reports either. Faulty versions needs to be removed from the tree. Thanks everyone!
x86 stopped stabilization due to bug 673460.
x86 stable
amd64 stable and cleanup done. No glsa though.
