Mrxvt: Arbitrary Code Execution — GLSA 202209-07

A vulnerability has been discovered in Mrxvt which could allow for arbitrary code execution

Affected packages

x11-terms/mrxvt on all architectures
Affected versions <= 0.5.4
Unaffected versions

Background

Mrxvt is a multi-tabbed rxvt clone with XFT, transparent background and CJK support.

Description

Mrxvt mishandles certain escape sequences, some of which allow for shell command execution.

Impact

An attacker with sufficient access to write arbitrary text to the Mrxvt terminal could execute arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

Gentoo has discontinued support for Mrxvt. We recommend that users remove it:

 # emerge --ask --depclean "x11-terms/mrxvt"
 

References

Release date
September 25, 2022

Latest revision
September 25, 2022: 1

Severity
normal

Exploitable
local and remote

Bugzilla entries