"The issue is in the OSC 50 sequence, which is for setting and querying the font. If a given font does not exist, it is not set, but a query will return the name that was set. Control characters can't be included, but the response string can be terminated with ^G. This essentially gives us a primitive for echoing text back to the terminal and ending it with ^G. It so happens ^G is in Zsh when in vi line editing mode bound to "list-expand". Which can run commands as part of the expansion leading to command execution without pressing enter! This does mean to exploit this vulnerability the user needs to be using Zsh in vi line editing mode (usually via $EDITOR having "vi" in it). While somewhat obscure this is not a totally unknown configuration. In that configuration, something like: printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063 cat cve-2022-45063 # or another way to deliver this to the victim Will touch that file. It will leave the line on the user's screen; I'll leave it as an exercise for the reader to use the vi line editing commands to hide the evidence. Debian, Red Hat and others disable font ops by default (see some good foresight at[1] or this very list[2]), but users can re-enable them via a configuration option or menu. Additionally upstream xterm does not disable them by default, so some distributions include a vulnerable default configuration. [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 [2]: https://www.openwall.com/lists/oss-security/2015/09/20/2 towards the end." Maybe we should also be disabling this functionality like other distributions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7cf723b085c3b7d035d4767768ed3e94ccf79e62 commit 7cf723b085c3b7d035d4767768ed3e94ccf79e62 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-18 19:54:48 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-18 20:08:43 +0000 x11-terms/xterm: drop 372 Bug: https://bugs.gentoo.org/880747 Signed-off-by: John Helmert III <ajak@gentoo.org> x11-terms/xterm/Manifest | 1 - x11-terms/xterm/xterm-372.ebuild | 98 ---------------------------------------- 2 files changed, 99 deletions(-)
Downgrading due to high prerequisites for exploitation.
GLSA request filed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fa09cca354064b7fb282f48a91b7428a1df094bb commit fa09cca354064b7fb282f48a91b7428a1df094bb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-11-22 03:53:08 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-22 03:59:40 +0000 [ GLSA 202211-09 ] xterm: Arbitrary Code Execution Bug: https://bugs.gentoo.org/880747 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202211-09.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
GLSA released, all done!
