791004 – x11-terms/mrxvt: remote code execution

Bug 791004 - x11-terms/mrxvt: remote code execution

Summary: x11-terms/mrxvt: remote code execution

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	https://seclists.org/oss-sec/2021/q2/145
Whiteboard:	B1 [glsa+]
Keywords:

Depends on:
Blocks:	CVE-2021-33477
	Show dependency tree

Reported:	2021-05-18 23:35 UTC by John Helmert III
Modified:	2022-09-25 13:56 UTC (History)
CC List:	1 user (show)

See Also:	790782
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-05-18 23:35:49 UTC

Code execution bug in mrxvt reported on oss-security, see URL.

Comment 1 John Helmert III archtester

2021-05-18 23:39:20 UTC

Reporter also indicated this is unpatched upstream.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:22:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:30:35 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:38:32 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:46:39 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:02:38 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:10:54 UTC

Package list is empty or all packages have requested keywords.

Comment 8 John Helmert III archtester

2022-08-15 04:03:17 UTC

(In reply to John Helmert III from comment #1)
> Reporter also indicated this is unpatched upstream.

which means [upstream], not [ebuild]. duh.

Comment 9 Larry the Git Cow gentoo-dev

2022-08-15 04:04:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=013aece3cbd4470994b29d49da0a2c0a1e6c8bd3

commit 013aece3cbd4470994b29d49da0a2c0a1e6c8bd3
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-15 04:03:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-15 04:04:03 +0000

    profiles: last rite x11-terms/mrxvt
    
    Bug: https://bugs.gentoo.org/791004
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 10 Larry the Git Cow gentoo-dev

2022-09-18 21:23:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be94e6b541775bb349967bd705ca26bdc6c331ed

commit be94e6b541775bb349967bd705ca26bdc6c331ed
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-09-18 21:15:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-18 21:15:21 +0000

    x11-terms/mrxvt: treeclean
    
    Bug: https://bugs.gentoo.org/791004
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask                              |   5 -
 x11-terms/mrxvt/Manifest                           |   1 -
 ...rxvt-0.5.4-001-fix-segfault-when-wd-empty.patch |  13 ---
 x11-terms/mrxvt/files/mrxvt-0.5.4-fno-common.patch |  20 ----
 x11-terms/mrxvt/files/mrxvt-0.5.4-libpng14.patch   |  33 ------
 x11-terms/mrxvt/metadata.xml                       |  16 ---
 x11-terms/mrxvt/mrxvt-0.5.4.ebuild                 | 121 ---------------------
 7 files changed, 209 deletions(-)

Comment 11 John Helmert III archtester

2022-09-19 18:29:56 UTC

GLSA request filed

Comment 12 John Helmert III archtester

2022-09-25 13:39:37 UTC

GLSA released, all done!

Comment 13 Larry the Git Cow gentoo-dev

2022-09-25 13:56:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9fbcca1ab60420ce206332b616fe5b530b92be69

commit 9fbcca1ab60420ce206332b616fe5b530b92be69
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-25 13:34:13 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-25 13:42:20 +0000

    [ GLSA 202209-07 ] Mrxvt: Arbitrary Code Execution
    
    Bug: https://bugs.gentoo.org/791004
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-07.xml | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)