Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217819 - x11-terms/rxvt < 2.7.10-r4 X11 Display Security Issue (CVE-2008-1142)
Summary: x11-terms/rxvt < 2.7.10-r4 X11 Display Security Issue (CVE-2008-1142)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2008-04-15 17:12 UTC by Lars Hartmann
Modified: 2008-05-07 18:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

patch against 2.7.10 (rxvt-2.7.10-CVE-2008-1142-DISPLAY.patch,1.81 KB, patch)
2008-05-04 10:31 UTC, Christian Hoffmann (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-04-15 17:12:31 UTC
Bernhard R. Link has reported a security issue in rxvt, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the program using ":0" as it's X11 display if the DISPLAY environment variable is missing. This can be exploited to execute arbitrary commands with the privileges of the user running rxvt via a malicious X server.

The security issue is reported in version 2.6.4. Other versions may also be affected.

Do not run rxvt on untrusted systems.

Restrict local access to trusted users only.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-03 12:59:32 UTC
Fixed ebuild committed to the tree.

Arches, please test and mark stable:
Target keywords: alpha amd64 hppa mips ppc ppc64 sparc x86
Already stabled: amd64
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-03 13:45:55 UTC
D'oh, I managed to forget CC'ing arches as well.
Also CC'ing killerfox as he's probably interested in the patch because of bug 219760 (rxvt-unicode).
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-03 15:32:38 UTC
x86 stable
Comment 5 Ryan Hill (RETIRED) gentoo-dev 2008-05-03 17:55:00 UTC
mips is ~arch-only.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-05-04 09:54:16 UTC
alpha/sparc stable
Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-04 10:31:24 UTC
Created attachment 151785 [details, diff]
patch against 2.7.10
Comment 8 Christian Hoffmann (RETIRED) gentoo-dev 2008-05-04 10:34:01 UTC
Patch sent upstream [1] (and added to this bug for completeness and so that I could link to it).

Sorry for the arch cc'ing mess yesterday, btw (first I forgot to click "Add archs", then I noticed that I missed release, then dirtyepic noticed I accidently added mips...;)).

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-05 02:11:34 UTC
Stable for HPPA.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2008-05-05 12:03:29 UTC
ppc64 stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2008-05-05 13:48:51 UTC
ppc done
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2008-05-05 19:13:04 UTC
Fixed in release snapshot.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-07 18:59:32 UTC
GLSA 200805-03