Bug 13299 - rxvt-unicode new security issue CVE-2014-3121
: rxvt-unicode new security issue CVE-2014-3121
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/597338/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
  Show dependency treegraph
Reported: 2014-05-01 19:12 CEST by David Walser
Modified: 2014-05-05 18:50 CEST (History)
4 users (show)

See Also:
Source RPM: rxvt-unicode-9.19-1.mga5.src.rpm
Status comment:


Description David Walser 2014-05-01 19:12:10 CEST
A CVE has been assigned for a security issue fixed upstream in 9.20:

There are more details in the CVE request:

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
Comment 1 Rémy CLOUARD (shikamaru) 2014-05-01 19:49:03 CEST
fixed in cauldron, and an update has been submitted to updates_testing.

I tested the package myself, for me it can be pushed into updates.

Hope I did this right, if it’s the case I’ll also push it to 3.


Comment 2 David Walser 2014-05-01 19:52:30 CEST

Not that it's a problem, but typically we don't use 0.1 for the release tag.  If you're updating it to 9.20, a release tag of 1 in all releases works fine, and that's how we normally do it.
Comment 3 Rémy CLOUARD (shikamaru) 2014-05-01 20:02:26 CEST
Oops, sorry I thought it would have been 0.1 for updates-testing, because if it wasn’t good and I would have to rebuild the version in 4 would have been higher than the one in cauldron. Shall I resubmit to 1 in mga4 and submit it that way to mga3 ?
Comment 4 David Walser 2014-05-01 20:06:08 CEST
If the 0.1 build in mga4 looks good for you, then yes, you could bump it to 1 and rebuild (don't forget to remove the subrel) and push to mga3.

You are correct that if a problem was found and it needed to be rebuilt, it'd then be 1.1 in mga4, but since it's the same version in Cauldron, it'd likely need to be fixed there for the same reason anyway, so it'd then be 2 there and the release tag would not be an issue.
Comment 5 Rémy CLOUARD (shikamaru) 2014-05-01 20:08:58 CEST
Thanks for your feedback, submitted 9.20-1 to both mga3 and mga4 in updates_testing
Comment 6 David Walser 2014-05-01 20:19:47 CEST
Thanks.  Assigning to the QA team now so that the update candidate can be tested and released.


Updated rxvt-unicode package fixes security vulnerability:

rxvt-unicode (aka urxvt) before 9.20 is vulnerable to a user-assisted
arbitrary commands execution issue. This can be exploited by the unprocessed
display of certain escape sequences in a crafted text file or program output.
Arbitrary command sequences can be constructed using this, and unintentionally
executed if used in conjunction with various other escape sequences


Updated packages in core/updates_testing:

from SRPMS:
Comment 7 claire robinson 2014-05-02 15:06:36 CEST
Testing complete mga4 64

PoC from http://seclists.org/oss-sec/2014/q2/204

$ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";

gives output showing the window title.


Tip: highlight & then paste with middle mouse click.

echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";

Comment 8 claire robinson 2014-05-02 15:15:32 CEST
Testing complete mga3 32 & 64
Comment 9 claire robinson 2014-05-02 15:23:53 CEST
Testing complete mga4 32

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Comment 10 Thomas Backlund 2014-05-02 20:10:45 CEST
Update pushed:
Comment 11 Rémy CLOUARD (shikamaru) 2014-05-03 14:38:51 CEST
thanks !

Note You need to log in before you can comment on or make changes to this bug.