From ${URL} : rxvt-unicode-9.20 (aka urxvt) includes a security update [1] to address a user-assisted arbitrary commands execution issue. This can be exploited by the unprocessed display of certain escape sequences in a crafted text file or program output. Vendor/author Marc Lehmann was notified last week, the updated version was released on 2014-04-26. My thanks to Marc for his prompt responses and valuable assistance. This is a similar attack vector to CVE-2003-0063, CVE-2008-2383, and CVE-2010-2713. rxvt-unicode supports the xterm OSC escape sequences[2] to read, write and delete the X properties of the terminal window. This function is in the group of OSC escapes which allow read/write access to the icon name and window title, however read access to those is allowed only with the "-insecure" command line option. The update in 9.20 makes "-insecure" a requirement for read access to the window properties also. This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version 3.0, prior to that parts of the code are not supported by a contemporary g++ .) Arbitrary window properties can be written, and arbitrary properties can be read, placing the contents in the terminal input buffer, as is the convention. From a bash prompt in urxvt (9.19): $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x"; ^[]3;urxvt^G $'\E]3;urxvt' It follows that arbitrary command sequences can be constructed using this, and unintentionally executed if used in conjunction with various other escape sequences. Regards, Conor. [1] http://dist.schmorp.de/rxvt-unicode/Changes [2] http://invisible-island.net/xterm/ctlseqs/ctlseqs.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =x11-terms/rxvt-unicode-9.20 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Stable for HPPA.
arm stable
amd64 stable
ppc stable
ppc64 stable
ia64 stable
sparc stable
alpha stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
CVE-2014-3121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3121): rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands.
Arches and Maintainer(s), Thank you for your work. Added to new GLSA Request
This issue was resolved and addressed in GLSA 201406-18 at http://security.gentoo.org/glsa/glsa-201406-18.xml by GLSA coordinator Chris Reffett (creffett).