Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 790782

Summary: <x11-terms/rxvt-unicode-9.22-r9: improper handling of certain escape sequences (CVE-2021-33477)
Product: Gentoo Security Reporter: Roman 'gryf' Dobosz <gryf_esm>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: nattka: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://seclists.org/oss-sec/2021/q2/145
See Also: https://bugs.gentoo.org/show_bug.cgi?id=791004
Whiteboard: B2 [glsa+ cve]
Package list:
=x11-terms/rxvt-unicode-9.22-r9
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 791841    
Attachments:
Description Flags
A workaround for x11-terms/mrxvt none

Description Roman 'gryf' Dobosz 2021-05-18 07:26:56 UTC 
There is a security flaw in using ANSI escape sequence for querying
graphics mode in rxvt-unicode-9.22 which can lead to remote code
execution, as demonstrated in url above.

Reproducible: Always

Steps to Reproduce:
1. printf "\eGQ"

Actual Results:  
0
$ bash: 0: command not found


Expected Results:  
Should not execute anything by filling up the prompt and sending "\n". This is already fixed in upstream in version 9.25 and up. Now, this sequence will do nothing:

$ printf "\eGQ"
Q ~ $ 


Quering graphic mode leaves data on the terminal AND provide newline character, which is the main flaw in the described scenario.
Comment 1 Tee KOBAYASHI 2021-05-18 13:33:02 UTC 
Created attachment 709668 [details, diff]
A workaround for x11-terms/mrxvt

This does also affect x11-terms/mrxvt-0.5.4, for which a patch is attached.
Comment 2 Larry the Git Cow gentoo-dev 2021-05-18 15:50:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7754b4970254a816210ca814289256a43d7625f7

commit 7754b4970254a816210ca814289256a43d7625f7
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-05-18 15:25:01 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-05-18 15:33:09 +0000

    x11-terms/rxvt-unicode-9.22: mark ANSI sequence ESC G Q as insecure
    
    Can in theory be used to perform remote code execution, see
    https://seclists.org/oss-sec/2021/q2/145 . This was fixed upstream in 2017
    (see http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583)
    so 9.26 is not vulnerable, that said 9.22 will likely not go away any
    time soon (if only because of 24-bit colour support) so let's backport
    this.
    
    Reported-by: Roman Dobosz <gryf73@gmail.com>
    Bug: https://bugs.gentoo.org/790782
    Closes: https://github.com/gentoo/gentoo/pull/20863
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 ...rxvt-unicode-9.22-query-graphics-insecure.patch |  11 ++
 x11-terms/rxvt-unicode/rxvt-unicode-9.22-r9.ebuild | 120 +++++++++++++++++++++
 2 files changed, 131 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-18 17:22:26 UTC 
We should probably do a new bug for mrxvt.
Comment 4 Agostino Sarubbo gentoo-dev 2021-05-19 09:46:39 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-05-19 09:48:03 UTC 
sparc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-19 17:26:14 UTC 
arm done
Comment 7 Agostino Sarubbo gentoo-dev 2021-05-19 20:06:43 UTC 
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-05-19 20:07:50 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-19 20:09:23 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2021-05-22 15:09:32 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98e1e17ede4b7ce1344499138c1563c2805a80a

commit d98e1e17ede4b7ce1344499138c1563c2805a80a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-05-22 15:06:52 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-05-22 15:09:22 +0000

    x11-terms/rxvt-unicode: drop 9.22-r8
    
    No versions vulnerable to the issue at hand left in the tree.
    
    Bug: https://bugs.gentoo.org/790782
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 x11-terms/rxvt-unicode/rxvt-unicode-9.22-r8.ebuild | 119 ---------------------
 1 file changed, 119 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 18:04:29 UTC 
Thanks!
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-24 15:10:20 UTC 
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:58:16 UTC 
This issue was resolved and addressed in
 GLSA 202105-17 at https://security.gentoo.org/glsa/202105-17
by GLSA coordinator Thomas Deutschmann (whissi).