Bug 2151597 (CVE-2022-4170)

Summary: CVE-2022-4170 rxvt-unicode: remote code execution via background OSC
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rharwood
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rxvt-unicode 9.30 Doc Type: If docs needed, set a value
Doc Text:
The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-09 20:33:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151598, 2151599    
Bug Blocks: 2149057    

Description Borja Tarraso 2022-12-07 15:22:08 UTC 
rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.

The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background). So it is possible to be using this extension without realizing it.

This is accidentally fixed on version 9.30, and 9.29, it appears to not be exploitable, but only due to another bug (not a security bug). The actual bug which makes this not vulnerable on 9.30 is simply a wrong number in "on_osc_seq".
Comment 1 Borja Tarraso 2022-12-07 15:26:30 UTC 
Created rxvt-unicode tracking bugs for this issue:

Affects: epel-all [bug 2151598]
Affects: fedora-all [bug 2151599]
Comment 2 Product Security DevOps Team 2022-12-09 20:33:00 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Comment 3 Robbie Harwood 2022-12-16 18:42:00 UTC 
> Affects: fedora-all [bug 2151599]

Current fedora versions:
fc38: rxvt-unicode-9.30-4.fc37
fc37: rxvt-unicode-9.30-4.fc37
fc36: rxvt-unicode-9.30-2.fc36

> This is accidentally fixed on version 9.30, and 9.29, it appears to not be exploitable, but only due to another bug (not a security bug).

Given this, I really don't see what action you expect me to take with that bug.