Bug 31226 - rxvt-unicode new security issue CVE-2022-4170
Summary: rxvt-unicode new security issue CVE-2022-4170
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-06 09:53 CET by Nicolas Salguero
Modified: 2022-12-13 23:10 CET (History)
5 users (show)

See Also:
Source RPM: rxvt-unicode-9.26-1.mga8.src.rpm
CVE: CVE-2022-4170
Status comment:


Attachments

Description Nicolas Salguero 2022-12-06 09:53:58 CET
A CVE has been assigned for a security issue fixed upstream in 9.25 and 9.26:
https://www.openwall.com/lists/oss-security/2022/12/05/1

Mageia 8 is also affected.
Nicolas Salguero 2022-12-06 09:55:19 CET

Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => nicolas.salguero
Source RPM: (none) => rxvt-unicode-9.26-1.mga8.src.rpm
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-4170

Comment 1 Nicolas Salguero 2022-12-06 10:36:50 CET
Suggested advisory:
========================

The updated package fixes a security vulnerability:

rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. (CVE-2022-4170)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4170
https://www.openwall.com/lists/oss-security/2022/12/05/1
========================

Updated package in core/updates_testing:
========================
rxvt-unicode-9.26-1.1.mga8

from SRPM:
rxvt-unicode-9.26-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 2 Herman Viaene 2022-12-12 16:37:47 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Exercised urxvt with commands pwd, various cd, cp, mkdir, rm, mv, rmdir, touch, vi , all worked OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-12-12 21:48:28 CET
Validating. Advisory in comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-13 02:32:37 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-12-13 23:10:56 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0459.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.