Bug ID 1206069
Summary VUL-0: CVE-2022-4170: rxvt-unicode: code execution via background OSC
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/349770/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee mrueckert@suse.com
Reporter abergmann@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker --- 

CVE-2022-4170

Posted by David Leadbeater on Dec 05I've discovered rxvt-unicode 9.25 and 9.26
are vulnerable to remote
code execution, in the Perl background extension, when an attacker can
control the data written to the user's terminal and certain options
are set.

The "background" extension is automatically loaded if certain X
resources are set such as 'transparent' (see the full list at the top
of src/perl/background[1]). So it is possible to be using this...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4170
https://seclists.org/oss-sec/2022/q4/168

You are receiving this mail because: