A security issue in several terminal emulators was described here: https://www.openwall.com/lists/oss-security/2021/05/17/1 Apparently it has been fixed upstream in rxvt-unicode 9.25: https://www.openwall.com/lists/oss-security/2021/05/17/2 The others haven't addressed it yet. A vague reference was made to xterm, but it wasn't clear that it's affected by this particular issue.
Whiteboard: (none) => MGA8TOO
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => joequant, olav, ouaurelien, shlomif, smelrorAssignee: bugsquad => pkg-bugs
rxvt-unicode-9.26-1.mga9 uploaded for Cauldron by Stig-Ørjan.
Fedora has issued an advisory for this today (May 30): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/
Summary: rxvt-unicode, mrxvt, eterm security issue via ANSI escape sequences => rxvt-unicode, mrxvt, eterm security issue via ANSI escape sequences (CVE-2021-33477)
Severity: normal => major
Fedora has issued an advisory for eterm on June 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/
Debian-LTS has issued advisories for this on June 9: https://www.debian.org/lts/security/2021/dla-2681 https://www.debian.org/lts/security/2021/dla-2682 The second one is for mrxvt, so we now have fixes available for all three packages.
Suggested advisory: ======================== The updated packages fix a security vulnerability: rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. (CVE-2021-33477) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33477 https://www.openwall.com/lists/oss-security/2021/05/17/1 https://www.openwall.com/lists/oss-security/2021/05/17/2 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/ https://www.debian.org/lts/security/2021/dla-2681 https://www.debian.org/lts/security/2021/dla-2682 ======================== Updated packages in core/updates_testing: ======================== rxvt-unicode-9.26-1.mga8 mrxvt-0.5.4-15.1.mga8 eterm-0.9.7-3.1.mga8 lib(64)eterm0.9.7-0.9.7-3.1.mga8 lib(64)eterm-devel-0.9.7-3.1.mga8 from SRPMS: rxvt-unicode-9.26-1.mga8.src.rpm mrxvt-0.5.4-15.1.mga8.src.rpm eterm-0.9.7-3.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 8CVE: (none) => CVE-2021-33477Assignee: pkg-bugs => qa-bugs
mga8, x64 CVE-2021-33477 Found a PoC at https://www.openwall.com/lists/oss-security/2017/05/01/20 *** Before update *** Launched an rxvt terminal from the system menus: <urxvt> $ echo -ne "\eGQ;" ;^[G0 ...... $ 0 bash: 0: command not found Not sure what is expected of the command at https://www.openwall.com/lists/oss-security/2021/05/17/1 $ mkdir -p ZZZ && echo 'uname -a; id; date; sh -i' >ZZZ/0 && chmod +x ZZZ/0 $ urxvt -e bash <uxvrt> $ printf '\e[?2l\eZ\e<\eGQ' ^[/Z^[G0 $ Display all 170 possibilities? (y or n) n $ $ ZZZ/0 Linux canopus 5.10.48-desktop-1.mga8 #1 SMP Wed Jul 7 14:29:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),955(docker),957(vboxusers) Sun 18 Jul 17:57:42 BST 2021 $ ls ZZZ 0* $ file ZZZ/0 ZZZ/0: ASCII text $ cat ZZZ/0 uname -a; id; date; sh -i Updated the packages. *** After update *** Ran uxvrt. $ printf '\e[?2l\eZ\e<\eGQ' Q^[/Zlcl@canopus:~ $ Display all 170 possibilities? (y or n) n The escape sequence is treated differently after the update - no attempt to launch a command. The unicode xvrt terminal works as any xterm does and responds to clear. Launched Eterm from the menus and tried out various options. Everything working as expected; toggled primary and secondary screens, changed pixel backgrounds, font, help (man pages) and contrast. $ Eterm -b gray88 -f MidnightBlue Needed to switch off background pattern after starting. Note that UK spelling of grey is not accepted. Did not pursue the hundreds of options. Letting this go.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0358.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED