Bug 880747 (CVE-2022-45063)

Summary:	<x11-terms/xterm-375: code execution via OSC 50 input sequences
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	luke, maintainer-needed
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.openwall.com/lists/oss-security/2022/11/10/1
Whiteboard:	B2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	880749
Bug Blocks:

Description John Helmert III archtester

2022-11-10 14:38:51 UTC

"The issue is in the OSC 50 sequence, which is for setting and querying
the font. If a given font does not exist, it is not set, but a query
will return the name that was set. Control characters can't be
included, but the response string can be terminated with ^G. This
essentially gives us a primitive for echoing text back to the terminal
and ending it with ^G.

It so happens ^G is in Zsh when in vi line editing mode bound to
"list-expand". Which can run commands as part of the expansion leading
to command execution without pressing enter!

This does mean to exploit this vulnerability the user needs to be
using Zsh in vi line editing mode (usually via $EDITOR having "vi" in
it). While somewhat obscure this is not a totally unknown
configuration.

In that configuration, something like:
printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063
cat cve-2022-45063  # or another way to deliver this to the victim

Will touch that file. It will leave the line on the user's screen;
I'll leave it as an exercise for the reader to use the vi line editing
commands to hide the evidence.

Debian, Red Hat and others disable font ops by default (see some
good foresight at[1] or this very list[2]), but users can re-enable them
via a configuration option or menu. Additionally upstream xterm does
not disable them by default, so some distributions include a
vulnerable default configuration.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
[2]: https://www.openwall.com/lists/oss-security/2015/09/20/2 towards the end."

Maybe we should also be disabling this functionality like other
distributions.

Comment 1 Larry the Git Cow gentoo-dev

2022-11-18 20:09:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7cf723b085c3b7d035d4767768ed3e94ccf79e62

commit 7cf723b085c3b7d035d4767768ed3e94ccf79e62
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-18 19:54:48 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-18 20:08:43 +0000

    x11-terms/xterm: drop 372
    
    Bug: https://bugs.gentoo.org/880747
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 x11-terms/xterm/Manifest         |  1 -
 x11-terms/xterm/xterm-372.ebuild | 98 ----------------------------------------
 2 files changed, 99 deletions(-)

Comment 2 John Helmert III archtester

2022-11-18 20:42:17 UTC

Downgrading due to high prerequisites for exploitation.

Comment 3 John Helmert III archtester

2022-11-18 20:54:32 UTC

GLSA request filed.

Comment 4 Larry the Git Cow gentoo-dev

2022-11-22 04:01:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fa09cca354064b7fb282f48a91b7428a1df094bb

commit fa09cca354064b7fb282f48a91b7428a1df094bb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-22 03:53:08 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 03:59:40 +0000

    [ GLSA 202211-09 ] xterm: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/880747
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-09.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

Comment 5 John Helmert III archtester

2022-11-22 04:05:00 UTC

GLSA released, all done!