Bug 876101 (CVE-2014-3121) - VUL-0: CVE-2014-3121: rxvt-unicode: user-assisted arbitrary commands execution
Summary: VUL-0: CVE-2014-3121: rxvt-unicode: user-assisted arbitrary commands execution
Status: VERIFIED FIXED
Alias: CVE-2014-3121
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-06-20
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/98484/
Whiteboard: maint:released:sle11-sp3:57823
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-02 08:13 UTC by Alexander Bergmann
Modified: 2014-06-25 07:20 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-05-02 08:13:54 UTC 
Via rh#1093287:

An issue with rxvt-unicode's handling of escape sequences, such as in text files or program output, was reported. This could lead to arbitrary command execution. Full details are available in the original report:

http://seclists.org/oss-sec/2014/q2/204

This issue has been fixed in version 9.20.

CVE-2014-3121 was assigned to this issue.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1093287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3121
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3121
Comment 1 Swamp Workflow Management 2014-05-02 22:00:23 UTC 
bugbot adjusting priority
Comment 3 Marcus Rückert 2014-06-10 15:40:21 UTC 
all submitted
Comment 4 Bernhard Wiedemann 2014-06-10 16:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (876101) was mentioned in
https://build.opensuse.org/request/show/236774 Factory / rxvt-unicode
Comment 6 Swamp Workflow Management 2014-06-13 12:19:00 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-06-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/57822
Comment 7 SMASH SMASH 2014-06-13 12:20:14 UTC 
Affected packages:

SLE-11-SP3: rxvt-unicode
Comment 9 Swamp Workflow Management 2014-06-18 12:04:27 UTC 
openSUSE-SU-2014:0814-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 876101
CVE References: CVE-2014-3121
Sources used:
openSUSE 13.1 (src):    rxvt-unicode-9.15-6.9.1
openSUSE 12.3 (src):    rxvt-unicode-9.15-4.4.1
Comment 11 Swamp Workflow Management 2014-06-24 17:47:55 UTC 
Update released for: rxvt-unicode, rxvt-unicode-debuginfo, rxvt-unicode-debugsource
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 12 Swamp Workflow Management 2014-06-24 21:04:24 UTC 
SUSE-SU-2014:0838-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 876101
CVE References: CVE-2014-3121
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    rxvt-unicode-9.05-1.19.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    rxvt-unicode-9.05-1.19.1
Comment 13 Johannes Segitz 2014-06-25 07:20:05 UTC 
all packages fixed