Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509174 (CVE-2014-3121) - <x11-terms/rxvt-unicode-9.20: user-assisted arbitrary commands execution (CVE-2014-3121)
Summary: <x11-terms/rxvt-unicode-9.20: user-assisted arbitrary commands execution (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-3121
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-30 12:59 UTC by Agostino Sarubbo
Modified: 2014-06-19 12:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-30 12:59:10 UTC
From ${URL} :

rxvt-unicode-9.20 (aka urxvt) includes a security update [1] to address a
user-assisted arbitrary commands execution issue. This can be exploited
by the unprocessed display of certain escape sequences in a crafted text
file or program output.

Vendor/author Marc Lehmann was notified last week, the updated version was
released on 2014-04-26. My thanks to Marc for his prompt responses and
valuable assistance.

This is a similar attack vector to CVE-2003-0063, CVE-2008-2383,
and CVE-2010-2713.

rxvt-unicode supports the xterm OSC escape sequences[2] to read, write and
delete the X properties of the terminal window. This function is in the
group of OSC escapes which allow read/write access to the icon name and
window title, however read access to those is allowed only with the
"-insecure" command line option. The update in 9.20 makes "-insecure"
a requirement for read access to the window properties also.

This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all
versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version
3.0, prior to that parts of the code are not supported by a contemporary
g++ .)

Arbitrary window properties can be written, and arbitrary properties can
be read, placing the contents in the terminal input buffer, as is the
convention. From a bash prompt in urxvt (9.19):

    $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";
    ^[]3;urxvt^G
    $'\E]3;urxvt'

It follows that arbitrary command sequences can be constructed using this,
and unintentionally executed if used in conjunction with various other
escape sequences.

Regards,
 Conor.

[1] http://dist.schmorp.de/rxvt-unicode/Changes
[2] http://invisible-island.net/xterm/ctlseqs/ctlseqs.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2014-04-30 13:30:21 UTC
Arch teams, please test and mark stable:
=x11-terms/rxvt-unicode-9.20
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers gentoo-dev 2014-04-30 14:28:01 UTC
Stable for HPPA.
Comment 3 Markus Meier gentoo-dev 2014-05-03 14:18:05 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-05-04 08:20:49 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-05-10 14:02:39 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-05-11 08:05:57 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-05-13 15:21:57 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-05-14 16:12:13 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-05-17 13:51:13 UTC
alpha stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-05-18 10:16:35 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 11:24:52 UTC
CVE-2014-3121 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3121):
  rxvt-unicode before 9.20 does not properly handle OSC escape sequences,
  which allows user-assisted remote attackers to manipulate arbitrary X window
  properties and execute arbitrary commands.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-20 04:09:46 UTC
Arches and Maintainer(s), Thank you for your work.

Added to new GLSA Request
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-19 12:34:24 UTC
This issue was resolved and addressed in
 GLSA 201406-18 at http://security.gentoo.org/glsa/glsa-201406-18.xml
by GLSA coordinator Chris Reffett (creffett).