A vulnerability was found in aterm, Eterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm, allowing for local privilege escalation.
Package | x11-terms/aterm on all architectures |
---|---|
Affected versions | < 1.0.1-r1 |
Unaffected versions | >= 1.0.1-r1 |
Package | x11-terms/eterm on all architectures |
---|---|
Affected versions | < 0.9.4-r1 |
Unaffected versions | >= 0.9.4-r1 |
Package | x11-terms/mrxvt on all architectures |
---|---|
Affected versions | < 0.5.3-r2 |
Unaffected versions | >= 0.5.3-r2 |
Package | x11-terms/multi-aterm on all architectures |
---|---|
Affected versions | < 0.2.1-r1 |
Unaffected versions | >= 0.2.1-r1 |
Package | x11-terms/rxvt on all architectures |
---|---|
Affected versions | < 2.7.10-r4 |
Unaffected versions | >= 2.7.10-r4 |
Package | x11-terms/rxvt-unicode on all architectures |
---|---|
Affected versions | < 9.02-r1 |
Unaffected versions | >= 9.02-r1 |
Package | x11-terms/wterm on all architectures |
---|---|
Affected versions | < 6.2.9-r3 |
Unaffected versions | >= 6.2.9-r3 |
Aterm, Eterm, Mrxvt, multi-aterm, RXVT, rxvt-unicode, and wterm are X11 terminal emulators.
Bernhard R. Link discovered that RXVT opens a terminal on :0 if the "-display" option is not specified and the DISPLAY environment variable is not set. Further research by the Gentoo Security Team has shown that aterm, Eterm, Mrxvt, multi-aterm, rxvt-unicode, and wterm are also affected.
A local attacker could exploit this vulnerability to hijack X11 terminals of other users.
There is no known workaround at this time.
All aterm users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/aterm-1.0.1-r1"
All Eterm users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/eterm-0.9.4-r1"
All Mrxvt users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/mrxvt-0.5.3-r2"
All multi-aterm users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/multi-aterm-0.2.1-r1"
All RXVT users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-2.7.10-r4"
All rxvt-unicode users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/rxvt-unicode-9.02-r1"
All wterm users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=x11-terms/wterm-6.2.9-r3"