Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 790782 - <x11-terms/rxvt-unicode-9.22-r9: improper handling of certain escape sequences (CVE-2021-33477)
Summary: <x11-terms/rxvt-unicode-9.22-r9: improper handling of certain escape sequence...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2021/q2/145
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks: CVE-2021-33477
  Show dependency tree
 
Reported: 2021-05-18 07:26 UTC by Roman 'gryf' Dobosz
Modified: 2021-05-26 08:58 UTC (History)
0 users

See Also:
Package list:
=x11-terms/rxvt-unicode-9.22-r9
Runtime testing required: ---
nattka: sanity-check+


Attachments
A workaround for x11-terms/mrxvt (mrxvt-workaround-bug790782.patch,1.23 KB, patch)
2021-05-18 13:33 UTC, Tee KOBAYASHI
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Roman 'gryf' Dobosz 2021-05-18 07:26:56 UTC
There is a security flaw in using ANSI escape sequence for querying
graphics mode in rxvt-unicode-9.22 which can lead to remote code
execution, as demonstrated in url above.

Reproducible: Always

Steps to Reproduce:
1. printf "\eGQ"

Actual Results:  
0
$ bash: 0: command not found


Expected Results:  
Should not execute anything by filling up the prompt and sending "\n". This is already fixed in upstream in version 9.25 and up. Now, this sequence will do nothing:

$ printf "\eGQ"
Q ~ $ 


Quering graphic mode leaves data on the terminal AND provide newline character, which is the main flaw in the described scenario.
Comment 1 Tee KOBAYASHI 2021-05-18 13:33:02 UTC
Created attachment 709668 [details, diff]
A workaround for x11-terms/mrxvt

This does also affect x11-terms/mrxvt-0.5.4, for which a patch is attached.
Comment 2 Larry the Git Cow gentoo-dev 2021-05-18 15:50:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7754b4970254a816210ca814289256a43d7625f7

commit 7754b4970254a816210ca814289256a43d7625f7
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-05-18 15:25:01 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-05-18 15:33:09 +0000

    x11-terms/rxvt-unicode-9.22: mark ANSI sequence ESC G Q as insecure
    
    Can in theory be used to perform remote code execution, see
    https://seclists.org/oss-sec/2021/q2/145 . This was fixed upstream in 2017
    (see http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583)
    so 9.26 is not vulnerable, that said 9.22 will likely not go away any
    time soon (if only because of 24-bit colour support) so let's backport
    this.
    
    Reported-by: Roman Dobosz <gryf73@gmail.com>
    Bug: https://bugs.gentoo.org/790782
    Closes: https://github.com/gentoo/gentoo/pull/20863
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 ...rxvt-unicode-9.22-query-graphics-insecure.patch |  11 ++
 x11-terms/rxvt-unicode/rxvt-unicode-9.22-r9.ebuild | 120 +++++++++++++++++++++
 2 files changed, 131 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2021-05-18 17:22:26 UTC
We should probably do a new bug for mrxvt.
Comment 4 Agostino Sarubbo gentoo-dev 2021-05-19 09:46:39 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2021-05-19 09:48:03 UTC
sparc stable
Comment 6 Sam James archtester gentoo-dev Security 2021-05-19 17:26:14 UTC
arm done
Comment 7 Agostino Sarubbo gentoo-dev 2021-05-19 20:06:43 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2021-05-19 20:07:50 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-19 20:09:23 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2021-05-22 15:09:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d98e1e17ede4b7ce1344499138c1563c2805a80a

commit d98e1e17ede4b7ce1344499138c1563c2805a80a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-05-22 15:06:52 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-05-22 15:09:22 +0000

    x11-terms/rxvt-unicode: drop 9.22-r8
    
    No versions vulnerable to the issue at hand left in the tree.
    
    Bug: https://bugs.gentoo.org/790782
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 x11-terms/rxvt-unicode/rxvt-unicode-9.22-r8.ebuild | 119 ---------------------
 1 file changed, 119 deletions(-)
Comment 11 John Helmert III gentoo-dev Security 2021-05-22 18:04:29 UTC
Thanks!
Comment 12 Thomas Deutschmann gentoo-dev Security 2021-05-24 15:10:20 UTC
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:58:16 UTC
This issue was resolved and addressed in
 GLSA 202105-17 at https://security.gentoo.org/glsa/202105-17
by GLSA coordinator Thomas Deutschmann (whissi).