Bug 28939

Summary:	rxvt-unicode, mrxvt, eterm security issue via ANSI escape sequences (CVE-2021-33477)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, joequant, nicolas.salguero, olav, ouaurelien, shlomif, smelror, sysadmin-bugs, tarazed25
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	rxvt-unicode-9.22-9.mga8.src.rpm, mrxvt-0.5.4-15.mga8.src.rpm, eterm-0.9.7-3.mga8.src.rpm	CVE:	CVE-2021-33477
Status comment:

Description David Walser 2021-05-18 21:23:20 CEST

A security issue in several terminal emulators was described here:
https://www.openwall.com/lists/oss-security/2021/05/17/1

Apparently it has been fixed upstream in rxvt-unicode 9.25:
https://www.openwall.com/lists/oss-security/2021/05/17/2

The others haven't addressed it yet.  A vague reference was made to xterm, but it wasn't clear that it's affected by this particular issue.

David Walser 2021-05-18 21:23:32 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Aurelien Oudelet 2021-05-19 11:46:52 CEST

Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => joequant, olav, ouaurelien, shlomif, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-05-25 21:20:57 CEST

rxvt-unicode-9.26-1.mga9 uploaded for Cauldron by Stig-Ørjan.

Comment 3 David Walser 2021-05-31 01:17:42 CEST

Fedora has issued an advisory for this today (May 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/

Summary: rxvt-unicode, mrxvt, eterm security issue via ANSI escape sequences => rxvt-unicode, mrxvt, eterm security issue via ANSI escape sequences (CVE-2021-33477)

David Walser 2021-05-31 01:18:48 CEST

Severity: normal => major

Comment 4 David Walser 2021-06-06 18:45:37 CEST

Fedora has issued an advisory for eterm on June 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/

Comment 5 David Walser 2021-06-10 20:11:45 CEST

Debian-LTS has issued advisories for this on June 9:
https://www.debian.org/lts/security/2021/dla-2681
https://www.debian.org/lts/security/2021/dla-2682

The second one is for mrxvt, so we now have fixes available for all three packages.

Comment 6 Nicolas Salguero 2021-07-08 09:53:01 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. (CVE-2021-33477)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33477
https://www.openwall.com/lists/oss-security/2021/05/17/1
https://www.openwall.com/lists/oss-security/2021/05/17/2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/
https://www.debian.org/lts/security/2021/dla-2681
https://www.debian.org/lts/security/2021/dla-2682
========================

Updated packages in core/updates_testing:
========================
rxvt-unicode-9.26-1.mga8

mrxvt-0.5.4-15.1.mga8

eterm-0.9.7-3.1.mga8
lib(64)eterm0.9.7-0.9.7-3.1.mga8
lib(64)eterm-devel-0.9.7-3.1.mga8

from SRPMS:
rxvt-unicode-9.26-1.mga8.src.rpm
mrxvt-0.5.4-15.1.mga8.src.rpm
eterm-0.9.7-3.1.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 8
CVE: (none) => CVE-2021-33477
Assignee: pkg-bugs => qa-bugs

Comment 7 Len Lawrence 2021-07-18 19:56:12 CEST

mga8, x64

CVE-2021-33477
Found a PoC at https://www.openwall.com/lists/oss-security/2017/05/01/20

*** Before update ***
Launched an rxvt terminal from the system menus:
<urxvt>
 $ echo -ne "\eGQ;"
;^[G0
......
$ 0
bash: 0: command not found

Not sure what is expected of the command at https://www.openwall.com/lists/oss-security/2021/05/17/1

$ mkdir -p ZZZ && echo 'uname -a; id; date; sh -i' >ZZZ/0 && chmod +x ZZZ/0
$ urxvt -e bash
<uxvrt>
$ printf '\e[?2l\eZ\e<\eGQ'
^[/Z^[G0
$
Display all 170 possibilities? (y or n) n
$
$ ZZZ/0
Linux canopus 5.10.48-desktop-1.mga8 #1 SMP Wed Jul 7 14:29:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),955(docker),957(vboxusers)
Sun 18 Jul 17:57:42 BST 2021

$ ls ZZZ
0*
$ file ZZZ/0
ZZZ/0: ASCII text
$ cat ZZZ/0
uname -a; id; date; sh -i

Updated the packages.
*** After update ***
Ran uxvrt.
$ printf '\e[?2l\eZ\e<\eGQ'
Q^[/Zlcl@canopus:~ $ 
Display all 170 possibilities? (y or n) n

The escape sequence is treated differently after the update - no attempt to launch a command.
The unicode xvrt terminal works as any xterm does and responds to clear.
Launched Eterm from the menus and tried out various options.  Everything working as expected; toggled primary and secondary screens, changed pixel backgrounds, font, help (man pages) and contrast.
$ Eterm -b gray88 -f MidnightBlue
Needed to switch off background pattern after starting.  Note that UK spelling of grey is not accepted.  Did not pursue the hundreds of options.

Letting this go.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2021-07-18 21:59:11 CEST

Validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-19 21:58:58 CEST

Keywords: (none) => advisory

Comment 9 Mageia Robot 2021-07-20 12:48:10 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0358.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED