Bug 13299 - rxvt-unicode new security issue CVE-2014-3121
Summary: rxvt-unicode new security issue CVE-2014-3121
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597338/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Reported: 2014-05-01 19:12 CEST by David Walser
Modified: 2014-05-05 18:50 CEST (History)
4 users (show)

See Also:
Source RPM: rxvt-unicode-9.19-1.mga5.src.rpm
Status comment:


Description David Walser 2014-05-01 19:12:10 CEST
A CVE has been assigned for a security issue fixed upstream in 9.20:

There are more details in the CVE request:

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
Comment 1 Rémy CLOUARD (shikamaru) 2014-05-01 19:49:03 CEST
fixed in cauldron, and an update has been submitted to updates_testing.

I tested the package myself, for me it can be pushed into updates.

Hope I did this right, if itâs the case Iâll also push it to 3.


Comment 2 David Walser 2014-05-01 19:52:30 CEST

Not that it's a problem, but typically we don't use 0.1 for the release tag.  If you're updating it to 9.20, a release tag of 1 in all releases works fine, and that's how we normally do it.
Comment 3 Rémy CLOUARD (shikamaru) 2014-05-01 20:02:26 CEST
Oops, sorry I thought it would have been 0.1 for updates-testing, because if it wasnât good and I would have to rebuild the version in 4 would have been higher than the one in cauldron. Shall I resubmit to 1 in mga4 and submit it that way to mga3 ?
Comment 4 David Walser 2014-05-01 20:06:08 CEST
If the 0.1 build in mga4 looks good for you, then yes, you could bump it to 1 and rebuild (don't forget to remove the subrel) and push to mga3.

You are correct that if a problem was found and it needed to be rebuilt, it'd then be 1.1 in mga4, but since it's the same version in Cauldron, it'd likely need to be fixed there for the same reason anyway, so it'd then be 2 there and the release tag would not be an issue.
Comment 5 Rémy CLOUARD (shikamaru) 2014-05-01 20:08:58 CEST
Thanks for your feedback, submitted 9.20-1 to both mga3 and mga4 in updates_testing
Comment 6 David Walser 2014-05-01 20:19:47 CEST
Thanks.  Assigning to the QA team now so that the update candidate can be tested and released.


Updated rxvt-unicode package fixes security vulnerability:

rxvt-unicode (aka urxvt) before 9.20 is vulnerable to a user-assisted
arbitrary commands execution issue. This can be exploited by the unprocessed
display of certain escape sequences in a crafted text file or program output.
Arbitrary command sequences can be constructed using this, and unintentionally
executed if used in conjunction with various other escape sequences


Updated packages in core/updates_testing:

from SRPMS:
Comment 7 claire robinson 2014-05-02 15:06:36 CEST
Testing complete mga4 64

PoC from http://seclists.org/oss-sec/2014/q2/204

$ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";

gives output showing the window title.


Tip: highlight & then paste with middle mouse click.

echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";

Comment 8 claire robinson 2014-05-02 15:15:32 CEST
Testing complete mga3 32 & 64
Comment 9 claire robinson 2014-05-02 15:23:53 CEST
Testing complete mga4 32

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Comment 10 Thomas Backlund 2014-05-02 20:10:45 CEST
Update pushed:
Comment 11 Rémy CLOUARD (shikamaru) 2014-05-03 14:38:51 CEST
thanks !

Note You need to log in before you can comment on or make changes to this bug.