Created attachment 803227 [details] POC text file (runs "cat /etc/passwd" when displayed in Zutty) x11-terms/zutty contains a vulnerability which allows arbitrary commands to be run by an attacker who can cause output to be sent to the terminal. Specifically, they can include newlines in an invalid DECRQSS command and Zutty will send those newlines (along with any command included) back to the shell. This vulnerability very closely resembles CVE-2008-2383 in xterm. I have confirmed this vulnerability exists in x11-terms/zutty-0.12 in Gentoo, and I suspect it exists in all versions since 0.2 (when the code to handle DECRQSS was added). I have not reported this issue to upstream, as I was unable to find a private method of contact. I would appreciate any help the Gentoo Security team can provide in responsibly disclosing/fixing the issue.
Thanks. Could you try emailing Tom Szilagyi <tom.szilagyi@altmail.se>?
(In reply to Sam James from comment #1) > Thanks. Could you try emailing Tom Szilagyi <tom.szilagyi@altmail.se>? Sure thing, I've emailed him and will update this bug once I get a response.
Created attachment 803260 [details, diff] Patch for zutty-0.12
I talked to Tom Szilagyi via email. He hopes to have a fix for the vulnerability out by the end of the week.
(In reply to Carter Sande from comment #4) > I talked to Tom Szilagyi via email. He hopes to have a fix for the > vulnerability out by the end of the week. Could you go ahead and request a CVE (and ensure that MITRE knows the issue is currently private?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0388ff51cbfe987faeef5c1b10d2986e8ed8603 commit c0388ff51cbfe987faeef5c1b10d2986e8ed8603 Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2022-09-10 12:02:47 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-09-10 12:04:00 +0000 x11-terms/zutty: add 0.13 Bug: https://bugs.gentoo.org/868495 Signed-off-by: Matthew Smith <matthew@gentoo.org> x11-terms/zutty/Manifest | 1 + x11-terms/zutty/zutty-0.13.ebuild | 42 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+)
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0116bc81a30a57996e71f92c190a79d0a40a001f commit 0116bc81a30a57996e71f92c190a79d0a40a001f Author: Matthew Smith <matthew@gentoo.org> AuthorDate: 2022-09-12 18:14:38 +0000 Commit: Matthew Smith <matthew@gentoo.org> CommitDate: 2022-09-12 18:17:03 +0000 x11-terms/zutty: remove 0.12, security cleanup Bug: https://bugs.gentoo.org/868495 Signed-off-by: Matthew Smith <matthew@gentoo.org> x11-terms/zutty/Manifest | 1 - x11-terms/zutty/zutty-0.12.ebuild | 41 --------------------------------------- 2 files changed, 42 deletions(-)
Thanks!
CVE requested
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fc10c987b6e59d6274fa1c863e8c2c3e80119e97 commit fc10c987b6e59d6274fa1c863e8c2c3e80119e97 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:24:54 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:02 +0000 [ GLSA 202209-25 ] Zutty: Arbitrary Code Execution Bug: https://bugs.gentoo.org/868495 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-25.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!
