GLSA 202310-20: rxvt-unicode: Arbitrary Code Execution
| Severity: | high |
| Title: | rxvt-unicode: Arbitrary Code Execution |
| Date: | 10/30/2023 |
| Bugs: | |
| ID: | 202310-20 |
Synopsis
A vulnerability has been discovered in rxvt-unicode where data written to the terminal can lead to code execution.Background
rxvt-unicode is a clone of the well known terminal emulator rxvt.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| x11-terms/rxvt-unicode | < 9.30 | >= 9.30 | All supported architectures |
Description
A vulnerability has been discovered in rxvt-unicode. Please review the CVE identifiers referenced below for details.
Impact
in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background[1]). So it is possible to be using this extension without realising it.
Workaround
There is no known workaround at this time.
Resolution
All rxvt-unicode users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.30"
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.