Summary: | <x11-terms/rxvt-unicode-9.22-r9: improper handling of certain escape sequences (CVE-2021-33477) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Roman 'gryf' Dobosz <gryf_esm> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | Flags: | nattka:
sanity-check+
|
||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://seclists.org/oss-sec/2021/q2/145 | ||||||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=791004 | ||||||
Whiteboard: | B2 [glsa+ cve] | ||||||
Package list: |
=x11-terms/rxvt-unicode-9.22-r9
|
Runtime testing required: | --- | ||||
Bug Depends on: | |||||||
Bug Blocks: | 791841 | ||||||
Attachments: |
|
Description
Roman 'gryf' Dobosz
2021-05-18 07:26:56 UTC
Created attachment 709668 [details, diff]
A workaround for x11-terms/mrxvt
This does also affect x11-terms/mrxvt-0.5.4, for which a patch is attached.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7754b4970254a816210ca814289256a43d7625f7 commit 7754b4970254a816210ca814289256a43d7625f7 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-05-18 15:25:01 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-05-18 15:33:09 +0000 x11-terms/rxvt-unicode-9.22: mark ANSI sequence ESC G Q as insecure Can in theory be used to perform remote code execution, see https://seclists.org/oss-sec/2021/q2/145 . This was fixed upstream in 2017 (see http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583) so 9.26 is not vulnerable, that said 9.22 will likely not go away any time soon (if only because of 24-bit colour support) so let's backport this. Reported-by: Roman Dobosz <gryf73@gmail.com> Bug: https://bugs.gentoo.org/790782 Closes: https://github.com/gentoo/gentoo/pull/20863 Signed-off-by: Marek Szuba <marecki@gentoo.org> ...rxvt-unicode-9.22-query-graphics-insecure.patch | 11 ++ x11-terms/rxvt-unicode/rxvt-unicode-9.22-r9.ebuild | 120 +++++++++++++++++++++ 2 files changed, 131 insertions(+) We should probably do a new bug for mrxvt. ppc stable sparc stable arm done amd64 stable ppc64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98e1e17ede4b7ce1344499138c1563c2805a80a commit d98e1e17ede4b7ce1344499138c1563c2805a80a Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-05-22 15:06:52 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-05-22 15:09:22 +0000 x11-terms/rxvt-unicode: drop 9.22-r8 No versions vulnerable to the issue at hand left in the tree. Bug: https://bugs.gentoo.org/790782 Signed-off-by: Marek Szuba <marecki@gentoo.org> x11-terms/rxvt-unicode/rxvt-unicode-9.22-r8.ebuild | 119 --------------------- 1 file changed, 119 deletions(-) Thanks! New GLSA request filed. This issue was resolved and addressed in GLSA 202105-17 at https://security.gentoo.org/glsa/202105-17 by GLSA coordinator Thomas Deutschmann (whissi). |