217819 – x11-terms/rxvt < 2.7.10-r4 X11 Display Security Issue (CVE-2008-1142)

Bug 217819 - x11-terms/rxvt < 2.7.10-r4 X11 Display Security Issue (CVE-2008-1142)

Summary: x11-terms/rxvt < 2.7.10-r4 X11 Display Security Issue (CVE-2008-1142)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/29576
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-04-15 17:12 UTC by Lars Hartmann
Modified:	2008-05-07 18:59 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
patch against 2.7.10 (rxvt-2.7.10-CVE-2008-1142-DISPLAY.patch,1.81 KB, patch) 2008-05-04 10:31 UTC, Christian Hoffmann (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2008-04-15 17:12:31 UTC

Bernhard R. Link has reported a security issue in rxvt, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the program using ":0" as it's X11 display if the DISPLAY environment variable is missing. This can be exploited to execute arbitrary commands with the privileges of the user running rxvt via a malicious X server.

The security issue is reported in version 2.6.4. Other versions may also be affected.

Solution:
Do not run rxvt on untrusted systems.

Restrict local access to trusted users only.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-04-16 00:32:35 UTC

patch:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=41;filename=diff;att=1;bug=469296

Comment 2 Christian Hoffmann (RETIRED) gentoo-dev

2008-05-03 12:59:32 UTC

Fixed ebuild committed to the tree.

Arches, please test and mark stable:
=x11-terms/rxvt-2.7.10-r4
Target keywords: alpha amd64 hppa mips ppc ppc64 sparc x86
Already stabled: amd64

Comment 3 Christian Hoffmann (RETIRED) gentoo-dev

2008-05-03 13:45:55 UTC

D'oh, I managed to forget CC'ing arches as well.
Also CC'ing killerfox as he's probably interested in the patch because of bug 219760 (rxvt-unicode).

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-03 15:32:38 UTC

x86 stable

Comment 5 Ryan Hill (RETIRED) gentoo-dev

2008-05-03 17:55:00 UTC

mips is ~arch-only.

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2008-05-04 09:54:16 UTC

alpha/sparc stable

Comment 7 Christian Hoffmann (RETIRED) gentoo-dev

2008-05-04 10:31:24 UTC

Created attachment 151785 [details, diff]
patch against 2.7.10

Comment 8 Christian Hoffmann (RETIRED) gentoo-dev

2008-05-04 10:34:01 UTC

Patch sent upstream [1] (and added to this bug for completeness and so that I could link to it).

Sorry for the arch cc'ing mess yesterday, btw (first I forgot to click "Add archs", then I noticed that I missed release, then dirtyepic noticed I accidently added mips...;)).

[1] http://sourceforge.net/tracker/index.php?func=detail&aid=1957180&group_id=221&atid=100221

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2008-05-05 02:11:34 UTC

Stable for HPPA.

Comment 10 Markus Rothe (RETIRED) gentoo-dev

2008-05-05 12:03:29 UTC

ppc64 stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2008-05-05 13:48:51 UTC

ppc done

Comment 12 Peter Volkov (RETIRED) gentoo-dev

2008-05-05 19:13:04 UTC

Fixed in release snapshot.

Comment 13 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-07 18:59:32 UTC

GLSA 200805-03