There is a security flaw in using ANSI escape sequence for querying graphics mode in rxvt-unicode-9.22 which can lead to remote code execution, as demonstrated in url above. Reproducible: Always Steps to Reproduce: 1. printf "\eGQ" Actual Results: 0 $ bash: 0: command not found Expected Results: Should not execute anything by filling up the prompt and sending "\n". This is already fixed in upstream in version 9.25 and up. Now, this sequence will do nothing: $ printf "\eGQ" Q ~ $ Quering graphic mode leaves data on the terminal AND provide newline character, which is the main flaw in the described scenario.
Created attachment 709668 [details, diff] A workaround for x11-terms/mrxvt This does also affect x11-terms/mrxvt-0.5.4, for which a patch is attached.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7754b4970254a816210ca814289256a43d7625f7 commit 7754b4970254a816210ca814289256a43d7625f7 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-05-18 15:25:01 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-05-18 15:33:09 +0000 x11-terms/rxvt-unicode-9.22: mark ANSI sequence ESC G Q as insecure Can in theory be used to perform remote code execution, see https://seclists.org/oss-sec/2021/q2/145 . This was fixed upstream in 2017 (see http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583) so 9.26 is not vulnerable, that said 9.22 will likely not go away any time soon (if only because of 24-bit colour support) so let's backport this. Reported-by: Roman Dobosz <gryf73@gmail.com> Bug: https://bugs.gentoo.org/790782 Closes: https://github.com/gentoo/gentoo/pull/20863 Signed-off-by: Marek Szuba <marecki@gentoo.org> ...rxvt-unicode-9.22-query-graphics-insecure.patch | 11 ++ x11-terms/rxvt-unicode/rxvt-unicode-9.22-r9.ebuild | 120 +++++++++++++++++++++ 2 files changed, 131 insertions(+)
We should probably do a new bug for mrxvt.
ppc stable
sparc stable
arm done
amd64 stable
ppc64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98e1e17ede4b7ce1344499138c1563c2805a80a commit d98e1e17ede4b7ce1344499138c1563c2805a80a Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-05-22 15:06:52 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-05-22 15:09:22 +0000 x11-terms/rxvt-unicode: drop 9.22-r8 No versions vulnerable to the issue at hand left in the tree. Bug: https://bugs.gentoo.org/790782 Signed-off-by: Marek Szuba <marecki@gentoo.org> x11-terms/rxvt-unicode/rxvt-unicode-9.22-r8.ebuild | 119 --------------------- 1 file changed, 119 deletions(-)
Thanks!
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-17 at https://security.gentoo.org/glsa/202105-17 by GLSA coordinator Thomas Deutschmann (whissi).
