oss-sec mailing list archives

Re: rxvt terminal (+bash) remoteish code execution 0day

From: Dan Yefihmov <dan () lightwave net ru>
Date: Mon, 17 May 2021 22:50:20 +0300

On May 17, 2021 10:28:10 PM GMT+03:00, Jakub Wilk <jwilk () jwilk net> wrote:

* def <def () huumeet info>, 2021-05-17, 17:33:

The bug is not technically a 0day for rxvt-unicode and has been known 
at least since 2017-05-01 when it was discussed publicly in 
oss-security:

   https://www.openwall.com/lists/oss-security/2017/05/01/20

The issue was quietly fixed in rxvt-unicode upstream in 2017.


Or was it 2019?

http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.585

No, that was in fact 2017:
http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.583

The commit you mentioned just eradicates the faulty code to protect unwise and careless users.


Sincerely Yours, Dan.

Current thread:

rxvt terminal (+bash) remoteish code execution 0day def (May 17)
- Re: rxvt terminal (+bash) remoteish code execution 0day def (May 17)
  - Re: rxvt terminal (+bash) remoteish code execution 0day Jakub Wilk (May 17)
    - Re: rxvt terminal (+bash) remoteish code execution 0day Dan Yefihmov (May 17)
- Re: rxvt terminal (+bash) remoteish code execution 0day Priedhorsky, Reid (May 17)
  - Re: Re: rxvt terminal (+bash) remoteish code execution 0day def (May 17)