oss-security - Re: rxvt terminal (+bash) remoteish code execution 0day

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <BA6125DF-2119-46AF-A87F-59876DF57168@lightwave.net.ru>
Date: Mon, 17 May 2021 22:50:20 +0300
From: Dan Yefihmov <dan@...htwave.net.ru>
To: oss-security@...ts.openwall.com
Subject: Re: rxvt terminal (+bash) remoteish code execution 0day

On May 17, 2021 10:28:10 PM GMT+03:00, Jakub Wilk <jwilk@...lk.net> wrote:
>* def <def@...meet.info>, 2021-05-17, 17:33:
>>The bug is not technically a 0day for rxvt-unicode and has been known 
>>at least since 2017-05-01 when it was discussed publicly in 
>>oss-security:
>>
>>    https://www.openwall.com/lists/oss-security/2017/05/01/20
>>
>>The issue was quietly fixed in rxvt-unicode upstream in 2017.
>
>Or was it 2019?
>
>http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.585
>
No, that was in fact 2017:
http://cvs.schmorp.de/rxvt-unicode/src/command.C?view=log#rev1.583

The commit you mentioned just eradicates the faulty code to protect unwise and careless users.


Sincerely Yours, Dan.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.