openSUSE-SU-2023:0306-1

See a problem?

Import Source

https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0306-1.json

JSON Data

https://api.test.osv.dev/v1/vulns/openSUSE-SU-2023:0306-1

Related

CVE-2022-4170

Published

2023-10-20T10:01:47Z

Modified

2025-05-08T17:48:15.356241Z

Upstream

CVE-2022-4170

Summary

Security update for rxvt-unicode

Details

This update for rxvt-unicode fixes the following issues:

Update to version 9.31: (CVE-2022-4170 boo#1206069)
- implement a fix for CVE-2022-4170 (reported and analyzed by David Leadbeater). While present in version 9.30, it should not be exploitable. It is exploitable in versions 9.25 and 9.26, at least, and allows anybody controlling output to the terminal to execute arbitrary code in the urxvt process.
- the background extension no longer requires off focus fading support to be compiled in.
- the confirm-paste extension now offers a choice betwene pasting the original or a sanitized version, and also frees up memory used to store the paste text immediately.
- fix compiling without frills.
- fix rewrapMode: never.
- fix regression that caused urxvt to no longer emit responses to OSC color queries other than OSC 4 ones.
- fix regression that caused urxvt to no longer process OSC 705.
- restore CENTURY to be 1900 to 'improve' year parsing in urclock (or at least go back to the old interpretation) (based on an analysis by Tommy Pettersson).
- execasync (used e.g. by the matcher extension to spawn processes) now sets the URXVTEXT_WINDOWID variable to the window id of the terminal.
- implement -fps option/refreshRate resource to change the default 60 Hz maximum refresh limiter. I always wanted an fps option, but had to wait for a user requesting it.
- new clickthrough extension.
- perl now also requires Xext.
- X region and shape extension functionality has been exposed to perl extensions.
- RENDER extension no longer depends on ENABLEXIMONTHESPOT.

References

Affected packages

SUSE:Package Hub 15 SP4 / rxvt-unicode

Package

Name: rxvt-unicode
Purl: pkg:rpm/suse/rxvt-unicode&distro=SUSE%20Package%20Hub%2015%20SP4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.31-bp155.3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "rxvt-unicode": "9.31-bp155.3.3.1"
        }
    ]
}

SUSE:Package Hub 15 SP5 / rxvt-unicode

Package

Name: rxvt-unicode
Purl: pkg:rpm/suse/rxvt-unicode&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.31-bp155.3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "rxvt-unicode": "9.31-bp155.3.3.1"
        }
    ]
}

openSUSE:Leap 15.4 / rxvt-unicode

Package

Name: rxvt-unicode
Purl: pkg:rpm/opensuse/rxvt-unicode&distro=openSUSE%20Leap%2015.4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.31-bp155.3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "rxvt-unicode": "9.31-bp155.3.3.1"
        }
    ]
}

openSUSE:Leap 15.5 / rxvt-unicode

Package

Name: rxvt-unicode
Purl: pkg:rpm/opensuse/rxvt-unicode&distro=openSUSE%20Leap%2015.5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.31-bp155.3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "rxvt-unicode": "9.31-bp155.3.3.1"
        }
    ]
}