Date: Wed, 30 Apr 2014 11:33:30 +0100 From: Conor McCarthy <mr.spuratic@...il.com> To: oss-security@...ts.openwall.com Cc: rxvt@...morp.de Subject: CVE request: rxvt-unicode user-assisted arbitrary commands execution All, I would like to request a CVE for the following issue. rxvt-unicode-9.20 (aka urxvt) includes a security update  to address a user-assisted arbitrary commands execution issue. This can be exploited by the unprocessed display of certain escape sequences in a crafted text file or program output. Vendor/author Marc Lehmann was notified last week, the updated version was released on 2014-04-26. My thanks to Marc for his prompt responses and valuable assistance. This is a similar attack vector to CVE-2003-0063, CVE-2008-2383, and CVE-2010-2713. rxvt-unicode supports the xterm OSC escape sequences to read, write and delete the X properties of the terminal window. This function is in the group of OSC escapes which allow read/write access to the icon name and window title, however read access to those is allowed only with the "-insecure" command line option. The update in 9.20 makes "-insecure" a requirement for read access to the window properties also. This OSC feature was added to rxvt-unicode-2.7, so I believe it affects all versions from 2.7 to 9.19 inclusive. (I have confirmed it present in version 3.0, prior to that parts of the code are not supported by a contemporary g++ .) Arbitrary window properties can be written, and arbitrary properties can be read, placing the contents in the terminal input buffer, as is the convention. From a bash prompt in urxvt (9.19): $ echo $'\e]3;?WM_CLASS\x07'; read -d $'\a' x; printf "\n%q\n" "$x"; ^3;urxvt^G $'\E]3;urxvt' It follows that arbitrary command sequences can be constructed using this, and unintentionally executed if used in conjunction with various other escape sequences. Regards, Conor.  http://dist.schmorp.de/rxvt-unicode/Changes  http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.