1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202211-09 ] xterm: Arbitrary Code Execution

    From [email protected]@21:1/5 to All on Tue Nov 22 05:10:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202211-09
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: xterm: Arbitrary Code Execution
    Date: November 22, 2022
    Bugs: #880747
    ID: 202211-09

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been found in xterm which could allow for arbitrary
    code execution.

    Background
    ==========

    xterm is a terminal emulator for the X Window system.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 x11-terms/xterm < 375 >= 375

    Description
    ===========

    xterm does not correctly handle control characters related to OSC 50
    font ops sequence handling.

    Impact
    ======

    The vulnerability allows text written to the terminal to write text to
    the terminal's command line. If the terminal's shell is zsh running with
    vi line editing mode, text written to the terminal can also trigger the execution of arbitrary commands via writing ^G to the terminal.

    Workaround
    ==========

    As a workaround, users can disable xterm's usage of OSC 50 sequences by
    adding the following to the XResources configuration:

    XTerm*allowFontOps: false

    Resolution
    ==========

    All xterm users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=x11-terms/xterm-375"

    References
    ==========

    [ 1 ] CVE-2022-45063
    https://nvd.nist.gov/vuln/detail/CVE-2022-45063

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202211-09

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmN8R6gACgkQFMQkOaVy +9lcdBAAh1ky21QuRg65hpAjv5AOV9BAypsfgTJlHNEfqDr9PYaAfv5eYVqvXIVE lzFrerPDYcPaK7Tun8T4mEq7K139o49VaXCGE7EQHx5o0DVIiCUl5MZ5HUQ47oD8 ClGNJe3AedRy4yH3GlOKQyBP0L8X12trw2tpC9vy/lyW/dy5OZy728AuvBk0wfha clGS9dqVK7IAZGPd/QohwXXYJ/sFUfWJwKAFbg9Ooz4UrsZfwfYWeV0ILefTZMjN W2GR6bPDEQYgYwN4Z3xUw3D2zlqVO0mesUCA8uxwt1Ftz1YDJaapdiyasLal2bOp xWg3kbRhuoXTkx7pyLFKslsIUUMaSq20Uw5n9kzI3fHEIwZWFkPjq2YDbi8vLwFo t3g/FxJKY7n1FpQZaxKYlk7AytR1kQ8y3Ed/u8OyGTy+sAjzZDwrOg63wugdQcDT 4mZYZB1DgwocUCJtX9tbHIN0GOJDy5m3rQwd3IP7Y9MfwOkp7W3UCM3ZYfs2O7Te zujZnKV/f2igyJHjkrdWrA62ZgUP4ooEy6po+nNO19bL0dFmFRADEmlfUNPqaqiT S316XLG1V0dxxtM3PD9oRTxic0dQTvD7QSQXX07ENAI32QPjt52yT5164a4Ddpd9 c4LmJND+ARpoYGfiRZKL21hI95e+9ks7oAZkxCi/3f+7+b3x0aI=
    =bhXX
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)