Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 673404 (CVE-2018-20167)

Summary: <x11-terms/terminology-1.3.2: remote code execution vulnerability (CVE-2018-20167)
Product: Gentoo Security Reporter: thomasg <thomas>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: juippis, proxy-maint
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/10663
Whiteboard: B3 [noglsa cve]
Package list:
x11-terms/terminology-1.3.2
 Runtime testing required: ---
Bug Depends on: 673460    
Bug Blocks:    

Description thomasg 2018-12-18 20:53:36 UTC 
Terminology in versions below 1.3.1 (this affects the stable version in portage, 1.1.1 as well as unstable, 1.3.0) is vulnerable to remote code execution, due to a bug in the media-popup escape sequence handling.

This is a critical security vulnerability, so it would be wise to bump terminology to 1.3.1 and remove or mask the older version.

The terminology 1.1 series is not maintained by upstream and will not receive any fixes.

https://nvd.nist.gov/vuln/detail/CVE-2018-20167
Comment 1 thomasg 2018-12-18 20:58:48 UTC 
Correction: Terminology 1.3.2 is just out, fixing a regression in 1.3.1.
Comment 2 Joonas Niilola gentoo-dev 2018-12-19 07:25:27 UTC 
Thanks, I'm enjoying a holiday so haven't read any news lately. I'll try to get it fixed ASAP.
Comment 3 Larry the Git Cow gentoo-dev 2018-12-19 09:25:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e8f99fdfca0c36420ca2841382b79369752e534

commit 4e8f99fdfca0c36420ca2841382b79369752e534
Author:     Joonas Niilola <juippis@gmail.com>
AuthorDate: 2018-12-19 07:35:36 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2018-12-19 09:25:33 +0000

    x11-terms/terminology: bump to 1.3.2 (CVE-2018-20167)
    
    - https://nvd.nist.gov/vuln/detail/CVE-2018-20167
    
    Bug: https://bugs.gentoo.org/673404
    
    Package-Manager: Portage[mgorny]-2.3.51.1
    Closes: https://github.com/gentoo/gentoo/pull/10663
    Signed-off-by: Joonas Niilola <juippis@gmail.com>
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 x11-terms/terminology/Manifest                 |  1 +
 x11-terms/terminology/terminology-1.3.2.ebuild | 35 ++++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
Comment 4 Andreas Sturmlechner gentoo-dev 2018-12-19 09:49:21 UTC 
Maintainer, please call for stabilisation when you think it is ready.
Comment 5 Joonas Niilola gentoo-dev 2018-12-19 09:57:25 UTC 
Please stabilize =x11-terms/terminology-1.3.2 on amd64 and x86. Codebase hasn't changed much since 1.2.0 and there hasn't been any bug reports either. Faulty versions needs to be removed from the tree.

Thanks everyone!
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-19 22:46:56 UTC 
x86 stopped stabilization due to bug 673460.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-22 22:26:41 UTC 
x86 stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-23 17:18:32 UTC 
amd64 stable and cleanup done. No glsa though.