From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4B413158089 for ; Mon, 30 Oct 2023 10:21:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0777A2BC0B3; Mon, 30 Oct 2023 10:21:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A249E2BC022 for ; Mon, 30 Oct 2023 10:20:53 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 0C967335C8E for ; Mon, 30 Oct 2023 10:20:53 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id EBB4F8C66E for ; Mon, 30 Oct 2023 10:20:52 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202310-20 ] rxvt-unicode: Arbitrary Code Execution Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============0904664349473590045==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Mon, 30 Oct 2023 10:20:52 -0000 Message-ID: <169866125295.7.14542051976974980858@eaa400207d9c> X-Archives-Salt: 64efaf77-3ec2-40ab-983e-bca704f6e55a X-Archives-Hash: 01931727e6bf1ae46ae3b7c120eb65a5 --===============0904664349473590045== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: rxvt-unicode: Arbitrary Code Execution Date: October 30, 2023 Bugs: #884787 ID: 202310-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in rxvt-unicode where data written to the terminal can lead to code execution. Background ========== rxvt-unicode is a clone of the well known terminal emulator rxvt. Affected packages ================= Package Vulnerable Unaffected ---------------------- ------------ ------------ x11-terms/rxvt-unicode < 9.30 >= 9.30 Description =========== A vulnerability has been discovered in rxvt-unicode. Please review the CVE identifiers referenced below for details. Impact ====== in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it. Workaround ========== There is no known workaround at this time. Resolution ========== All rxvt-unicode users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.30" References ========== [ 1 ] CVE-2022-4170 https://nvd.nist.gov/vuln/detail/CVE-2022-4170 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-20 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============0904664349473590045== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmU/g4QACgkQFMQkOaVy +9kDrRAAn97r3CXCfeuxwHduzf64nBAEc8OWkfCD6O+RTvmLpiPanYgohFcEn1Fp cbjcwSD/cP9NlqbcgAdFN2nElpFLKVfJlyjq8893n54u32aoL35MEqKmvQZ31x1C QhTln64wCX09k92+VUtlESUYJdyUFtE98Uaev7EEB22dot4qjCyZe57AWVNmvcLR ULhvtZE2r/YYCZ1nn42mPDv618JuKF+6goIwnCm+OI6vH6I9IJNGtR3cV8YiR6uT T0eLJrMgBiIetmYpazdEeGb3TTnNtD6Qgs6tw3AEq6dThlGRpUgdEeWe32F2y861 /uxo+LMBBSd1HwAKFh4L9hWJw/5j467O0J4pBj2TcxEUxBtZDlFMQ+S4yAVu8bVD pR6YLMAU89LvzOUzTaLBZzpRVHmxAFGyd50fjxnYEfd06BMXdBMiaCoEQjBZJhJj DdLc3X6Zmus2tiovY1ESwJRhYKUCM9eO/ndzR5MO2TvO+VKW+O/EzgNSqrv97KzD Z58G+0ykepZ9GX/IC3gLAd2ZdG/OJqic89zQpYyQ6jih1KC3CU/D2JPOq3JPShzP GlzZFsRl7p+3S8XoIrKTn8y1zTxieSFIOpe/sIjpzQhrPBmniriAQiIpYZSUmoPV uSVuoU3c7Py1rcAptmN6YpJZCnFpsqgK/H/SmRSv2aCG13eDrkE= =Yq/C -----END PGP SIGNATURE----- --===============0904664349473590045==--