Mageia Bugzilla – Bug 13299
rxvt-unicode new security issue CVE-2014-3121
Last modified: 2014-05-05 18:50:54 CEST
A CVE has been assigned for a security issue fixed upstream in 9.20:
There are more details in the CVE request:
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
fixed in cauldron, and an update has been submitted to updates_testing.
I tested the package myself, for me it can be pushed into updates.
Hope I did this right, if it’s the case I’ll also push it to 3.
Not that it's a problem, but typically we don't use 0.1 for the release tag. If you're updating it to 9.20, a release tag of 1 in all releases works fine, and that's how we normally do it.
Oops, sorry I thought it would have been 0.1 for updates-testing, because if it wasn’t good and I would have to rebuild the version in 4 would have been higher than the one in cauldron. Shall I resubmit to 1 in mga4 and submit it that way to mga3 ?
If the 0.1 build in mga4 looks good for you, then yes, you could bump it to 1 and rebuild (don't forget to remove the subrel) and push to mga3.
You are correct that if a problem was found and it needed to be rebuilt, it'd then be 1.1 in mga4, but since it's the same version in Cauldron, it'd likely need to be fixed there for the same reason anyway, so it'd then be 2 there and the release tag would not be an issue.
Thanks for your feedback, submitted 9.20-1 to both mga3 and mga4 in updates_testing
Thanks. Assigning to the QA team now so that the update candidate can be tested and released.
Updated rxvt-unicode package fixes security vulnerability:
rxvt-unicode (aka urxvt) before 9.20 is vulnerable to a user-assisted
arbitrary commands execution issue. This can be exploited by the unprocessed
display of certain escape sequences in a crafted text file or program output.
Arbitrary command sequences can be constructed using this, and unintentionally
executed if used in conjunction with various other escape sequences
Updated packages in core/updates_testing:
Testing complete mga4 64
PoC from http://seclists.org/oss-sec/2014/q2/204
$ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";
gives output showing the window title.
Tip: highlight & then paste with middle mouse click.
echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";
Testing complete mga3 32 & 64
Testing complete mga4 32
Validating. Advisory uploaded.
Could sysadmin please push to 3 & 4 updates