[gentoo-announce] [ GLSA 200503-23 ] rxvt-unicode: Buffer overflow - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@××××××××××××.org
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200503-23 ] rxvt-unicode: Buffer overflow
Date:	Sun, 20 Mar 2005 20:04:39
Message-Id:	`200503202104.41034.jaervosz@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200503-23

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: rxvt-unicode: Buffer overflow

9

      Date: March 20, 2005

10

      Bugs: #84680

11

        ID: 200503-23

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

rxvt-unicode is vulnerable to a buffer overflow that could lead to the

19

execution of arbitrary code.

20

21

Background

22

==========

23

24

rxvt-unicode is a clone of the well known terminal emulator rxvt.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package                 /  Vulnerable  /               Unaffected

31

    -------------------------------------------------------------------

32

  1  x11-terms/rxvt-unicode        < 5.3                        >= 5.3

33

                                                                 < 4.8

34

35

Description

36

===========

37

38

Rob Holland of the Gentoo Linux Security Audit Team discovered that

39

rxvt-unicode fails to properly check input length.

40

41

Impact

42

======

43

44

Successful exploitation would allow an attacker to execute arbitrary

45

code with the permissions of the user running rxvt-unicode.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All rxvt-unicode users should upgrade to the latest version:

56

57

    # emerge --sync

58

    # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-5.3"

59

60

References

61

==========

62

63

  [ 1 ] CAN-2005-0764

64

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0764

65

66

Availability

67

============

68

69

This GLSA and any updates to it are available for viewing at

70

the Gentoo Security Website:

71

72

  http://security.gentoo.org/glsa/glsa-200503-23.xml

73

74

Concerns?

75

=========

76

77

Security is a primary focus of Gentoo Linux and ensuring the

78

confidentiality and security of our users machines is of utmost

79

importance to us. Any security concerns should be addressed to

80

security@g.o or alternatively, you may file a bug at

81

http://bugs.gentoo.org.

82

83

License

84

=======

85

86

Copyright 2005 Gentoo Foundation, Inc; referenced text

87

belongs to its owner(s).

88

89

The contents of this document are licensed under the

90

Creative Commons - Attribution / Share Alike license.

91

92

http://creativecommons.org/licenses/by-sa/2.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200503-23
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: rxvt-unicode: Buffer overflow
9	Date: March 20, 2005
10	Bugs: #84680
11	ID: 200503-23
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	rxvt-unicode is vulnerable to a buffer overflow that could lead to the
19	execution of arbitrary code.
20
21	Background
22	==========
23
24	rxvt-unicode is a clone of the well known terminal emulator rxvt.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 x11-terms/rxvt-unicode < 5.3 >= 5.3
33	< 4.8
34
35	Description
36	===========
37
38	Rob Holland of the Gentoo Linux Security Audit Team discovered that
39	rxvt-unicode fails to properly check input length.
40
41	Impact
42	======
43
44	Successful exploitation would allow an attacker to execute arbitrary
45	code with the permissions of the user running rxvt-unicode.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All rxvt-unicode users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-5.3"
59
60	References
61	==========
62
63	[ 1 ] CAN-2005-0764
64	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0764
65
66	Availability
67	============
68
69	This GLSA and any updates to it are available for viewing at
70	the Gentoo Security Website:
71
72	http://security.gentoo.org/glsa/glsa-200503-23.xml
73
74	Concerns?
75	=========
76
77	Security is a primary focus of Gentoo Linux and ensuring the
78	confidentiality and security of our users machines is of utmost
79	importance to us. Any security concerns should be addressed to
80	security@g.o or alternatively, you may file a bug at
81	http://bugs.gentoo.org.
82
83	License
84	=======
85
86	Copyright 2005 Gentoo Foundation, Inc; referenced text
87	belongs to its owner(s).
88
89	The contents of this document are licensed under the
90	Creative Commons - Attribution / Share Alike license.
91
92	http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce