[Bug 1206069] New: VUL-0: CVE-2022-4170: rxvt-unicode: code execution via background OSC
http://bugzilla.opensuse.org/show_bug.cgi?id=1206069 Bug ID: 1206069 Summary: VUL-0: CVE-2022-4170: rxvt-unicode: code execution via background OSC Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/349770/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mrueckert@suse.com Reporter: abergmann@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2022-4170 Posted by David Leadbeater on Dec 05I've discovered rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background[1]). So it is possible to be using this... References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4170 https://seclists.org/oss-sec/2022/q4/168 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com