Bug 13299 - rxvt-unicode new security issue CVE-2014-3121
Summary: rxvt-unicode new security issue CVE-2014-3121
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597338/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Reported: 2014-05-01 19:12 CEST by David Walser
Modified: 2014-05-05 18:50 CEST (History)
4 users (show)

See Also:
Source RPM: rxvt-unicode-9.19-1.mga5.src.rpm
Status comment:


Description David Walser 2014-05-01 19:12:10 CEST
A CVE has been assigned for a security issue fixed upstream in 9.20:

There are more details in the CVE request:

Mageia 3 and Mageia 4 are also affected.


Steps to Reproduce:
David Walser 2014-05-01 19:12:23 CEST

CC: (none) => shikamaru
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Rémy CLOUARD (shikamaru) 2014-05-01 19:49:03 CEST
fixed in cauldron, and an update has been submitted to updates_testing.

I tested the package myself, for me it can be pushed into updates.

Hope I did this right, if itâs the case Iâll also push it to 3.


Comment 2 David Walser 2014-05-01 19:52:30 CEST

Not that it's a problem, but typically we don't use 0.1 for the release tag.  If you're updating it to 9.20, a release tag of 1 in all releases works fine, and that's how we normally do it.
David Walser 2014-05-01 19:53:35 CEST

CC: shikamaru => dirteat
Version: Cauldron => 4
Assignee: dirteat => shikamaru
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 Rémy CLOUARD (shikamaru) 2014-05-01 20:02:26 CEST
Oops, sorry I thought it would have been 0.1 for updates-testing, because if it wasnât good and I would have to rebuild the version in 4 would have been higher than the one in cauldron. Shall I resubmit to 1 in mga4 and submit it that way to mga3 ?

Version: 4 => Cauldron

Comment 4 David Walser 2014-05-01 20:06:08 CEST
If the 0.1 build in mga4 looks good for you, then yes, you could bump it to 1 and rebuild (don't forget to remove the subrel) and push to mga3.

You are correct that if a problem was found and it needed to be rebuilt, it'd then be 1.1 in mga4, but since it's the same version in Cauldron, it'd likely need to be fixed there for the same reason anyway, so it'd then be 2 there and the release tag would not be an issue.

Version: Cauldron => 4

Comment 5 Rémy CLOUARD (shikamaru) 2014-05-01 20:08:58 CEST
Thanks for your feedback, submitted 9.20-1 to both mga3 and mga4 in updates_testing

Version: 4 => Cauldron
Resolution: (none) => FIXED

David Walser 2014-05-01 20:11:20 CEST

Version: Cauldron => 4
Resolution: FIXED => (none)

Rémy CLOUARD (shikamaru) 2014-05-01 20:18:39 CEST

Version: 4 => Cauldron
Assignee: shikamaru => qa-bugs

Comment 6 David Walser 2014-05-01 20:19:47 CEST
Thanks.  Assigning to the QA team now so that the update candidate can be tested and released.


Updated rxvt-unicode package fixes security vulnerability:

rxvt-unicode (aka urxvt) before 9.20 is vulnerable to a user-assisted
arbitrary commands execution issue. This can be exploited by the unprocessed
display of certain escape sequences in a crafted text file or program output.
Arbitrary command sequences can be constructed using this, and unintentionally
executed if used in conjunction with various other escape sequences


Updated packages in core/updates_testing:

from SRPMS:

CC: (none) => shikamaru
Version: Cauldron => 4

Comment 7 claire robinson 2014-05-02 15:06:36 CEST
Testing complete mga4 64

PoC from http://seclists.org/oss-sec/2014/q2/204

$ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";

gives output showing the window title.


Tip: highlight & then paste with middle mouse click.

echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x";


Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok

Comment 8 claire robinson 2014-05-02 15:15:32 CEST
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 9 claire robinson 2014-05-02 15:23:53 CEST
Testing complete mga4 32

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok
CC: (none) => sysadmin-bugs

claire robinson 2014-05-02 15:24:06 CEST

Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 10 Thomas Backlund 2014-05-02 20:10:45 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Comment 11 Rémy CLOUARD (shikamaru) 2014-05-03 14:38:51 CEST
thanks !
David Walser 2014-05-05 18:50:54 CEST

URL: (none) => http://lwn.net/Vulnerabilities/597338/

Note You need to log in before you can comment on or make changes to this bug.