Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 219760

Summary: x11-terms/rxvt-unicode < 9.02-r1 X11 Display Security Issue (CVE-2008-1142)
Product: Gentoo Security Reporter: Matt Fleming (RETIRED) <mjf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: killerfox
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29576
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
rxvt-unicode-9.02-CVE-2008-1142-DISPLAY.patch none

Description Matt Fleming (RETIRED) gentoo-dev 2008-04-29 19:45:05 UTC 
rxvt-unicode is vulnerable to the same X11 Display issue as rxvt,

"The security issue is caused due to the program using ":0" as it's X11 display
if the DISPLAY environment variable is missing. This can be exploited to
execute arbitrary commands with the privileges of the user running rxvt via a
malicious X server."

rxvt bug #217819
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-03 19:06:47 UTC 
patch is in bug 217819
Comment 2 René Nussbaumer (RETIRED) gentoo-dev 2008-05-04 18:46:24 UTC 
Created attachment 151843 [details, diff]
rxvt-unicode-9.02-CVE-2008-1142-DISPLAY.patch

This patch was taken from the rxvt bug report and slightly adapted to the new environment.
Comment 3 René Nussbaumer (RETIRED) gentoo-dev 2008-05-04 18:47:02 UTC 
I've updated the ebuild to 9.02-r1 which includes this patch.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-05-04 19:02:05 UTC 
Arches, please test and mark stable:
=x11-terms/rxvt-unicode-9.02-r1
Target keywords : "alpha amd64 hppa ppc ppc64 release sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-05 02:27:01 UTC 
Stable for HPPA.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-05-05 11:08:05 UTC 
alpha/sparc/x86 stable
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-05-05 12:06:26 UTC 
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2008-05-05 20:20:37 UTC 
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-06 17:33:52 UTC 
ppc already is marked stable ...
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2008-05-07 07:08:38 UTC 
Fixed in release snapshot.
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-07 18:59:46 UTC 
GLSA 200805-03