Bernhard R. Link has reported a security issue in rxvt, which can be exploited by malicious, local users to gain escalated privileges. The security issue is caused due to the program using ":0" as it's X11 display if the DISPLAY environment variable is missing. This can be exploited to execute arbitrary commands with the privileges of the user running rxvt via a malicious X server. The security issue is reported in version 2.6.4. Other versions may also be affected. Solution: Do not run rxvt on untrusted systems. Restrict local access to trusted users only.
patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=41;filename=diff;att=1;bug=469296
Fixed ebuild committed to the tree. Arches, please test and mark stable: =x11-terms/rxvt-2.7.10-r4 Target keywords: alpha amd64 hppa mips ppc ppc64 sparc x86 Already stabled: amd64
D'oh, I managed to forget CC'ing arches as well. Also CC'ing killerfox as he's probably interested in the patch because of bug 219760 (rxvt-unicode).
x86 stable
mips is ~arch-only.
alpha/sparc stable
Created attachment 151785 [details, diff] patch against 2.7.10
Patch sent upstream [1] (and added to this bug for completeness and so that I could link to it). Sorry for the arch cc'ing mess yesterday, btw (first I forgot to click "Add archs", then I noticed that I missed release, then dirtyepic noticed I accidently added mips...;)). [1] http://sourceforge.net/tracker/index.php?func=detail&aid=1957180&group_id=221&atid=100221
Stable for HPPA.
ppc64 stable
ppc done
Fixed in release snapshot.
GLSA 200805-03