1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202209-07 ] Mrxvt: Arbitrary Code Execution

    From [email protected]@21:1/5 to All on Sun Sep 25 16:00:03 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202209-07
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Mrxvt: Arbitrary Code Execution
    Date: September 25, 2022
    Bugs: #791004
    ID: 202209-07

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Mrxvt which could allow for
    arbitrary code execution

    Background
    ==========

    Mrxvt is a multi-tabbed rxvt clone with XFT, transparent background and
    CJK support.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 x11-terms/mrxvt <= 0.5.4 Vulnerable!

    Description
    ===========

    Mrxvt mishandles certain escape sequences, some of which allow for shell command execution.

    Impact
    ======

    An attacker with sufficient access to write arbitrary text to the Mrxvt terminal could execute arbitrary code.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    Gentoo has discontinued support for Mrxvt. We recommend that users
    remove it:

    # emerge --ask --depclean "x11-terms/mrxvt"

    References
    ==========

    [ 1 ] CVE-2021-33477
    https://nvd.nist.gov/vuln/detail/CVE-2021-33477

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202209-07

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmMwWNkACgkQFMQkOaVy +9krig/8C3yHfv0n47PcTTmai6u/RtbS0P2MmpCyL+N18qbYheOYVThpVwfnWLe+ +12UdxAZTeizWVuUZMhnj51HxrGDnWzjthm5+rH+GZ3NUu7nbc+uG7TpzMJbUmWu X40EpzHCABdnorwWtJ4fTb8vaJ9pvWsnSOO7EwfnSYFV/KxIjbpnNdqOrQCrGpyl H8ojETsB1lAOpTw4rrzntfbl4y59APGqtZHmVvb/SbuVEuLQ8FKfKdSen6APvThm 5fXuNlkICGTRMSMnFtGEu9efR9f7q2LGww9OVO7dsbXMp9e4n7Wc1zSf7laXMZoH RLoj2x/arIsVKkHYDmDL19M6D2Yvp+9hKV7vDeiU8kujCGXuWs06Xo4fp/A0M4Bi UcxUO8ZEJkouV1jT1Z7CxJaTlUMYdXdk4vahMH5tBgYz9DBbcuNqDynwM9qe7To8 8oNwQwTJPM5ptbCwRJSCTw7LjHLEoAt0Xqtm4Biakh8rwjz/B+QU8nw0cGi1j0Dp rDWOanLykoHK1+Xh92o6YXzuIaWmrwkoUOSKnj7WJ+543cgN/P7nBTfC0ExEhd3/ W/b0XXnak9jmGrqiaMxdjuQLX/j2PLgF7d1v3S4AQPrwpu00KLZioNB9v+g2I1oX E8QDSm1oAQenXga1aio0zMvWSjxqva5/2q2VHzDQ4JU5Dj6W4sE=
    =WO5R
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)