"I've discovered rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it. This is accidentally fixed on version 9.30, and I haven't confirmed 9.29, it appears to not be exploitable, but only due to another (not security) bug. The actual bug which makes this not vulnerable on 9.30 is simply a wrong number in "on_osc_seq"." So, needs GLSA.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d12a82540d0c09c7cbfd5cec49458e7628226b4b commit d12a82540d0c09c7cbfd5cec49458e7628226b4b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-30 10:19:42 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-30 10:20:09 +0000 [ GLSA 202310-20 ] rxvt-unicode: Arbitrary Code Execution Bug: https://bugs.gentoo.org/884787 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-20.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)