openSUSE: 2022:10222-1 important: rxvt-unicode | LinuxSecurity.com

   openSUSE Security Update: Security update for rxvt-unicode
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10222-1
Rating:             important
References:         #1186174 
Cross-References:   CVE-2008-1142 CVE-2021-33477
CVSS scores:
                    CVE-2021-33477 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP3
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for rxvt-unicode fixes the following issues:

   Update to 9.26

   - ev_iouring.c was wrongly required during compilation, and wrongly not
     packaged.

   Update to 9.25 (boo#1186174 CVE-2021-33477)

   - for the 17.5th anniversary, and because many distributions seem to
     remove rxvt in favour of urxvt, this release resurrects rclock as
     urclock.
   - add support for systemd socket-based activation - debian bug #917105,
     freebsd bug #234276.
   - do not destruct perl on exit anymore: this might fail for a variety of
     reasons, and takes unneccessary time.
   - remove any macros from urxvtperl manpage(s), should fix debian bug
     858385.
   - the old bg image resources are now provided by the background extension,
     and perl is thus required for bg image support. No configuration change
     is needed: urxvt autoloads the background ext if any bg image
     resource/option is present (for OSC sequences to work you need to enable
     it explicity). The old bg image resources are also now deprecated; users
     are encouraged to switch to the new bg image interface (see man
     urxvt-background).
   - confirm-paste now checks for any ctlchars, not just newlines.
   - searchable scrollback will now ignore bracketed paste mode sequences
     (prompted by Daniel Gröber's patch).
   - drop ISO 2022 locale support. ISO 2022 encodings are not supported in
     POSIX locales and clash with vt100 charset emulation (the luit program
     can be used as a substitute).
   - perl didn't parse rgba colours specified as an array correctly,
     only allowing 0 and 100% intensity for each component (this affected
      fill and tint).
   - when iterating over resources, urxvt will now try to properly handle
     multipart resources (such as "*background.expr"), for the benefit
     of autoloading perl extensions.
   - ESC G (query rxvt graphics mode) has been disabled due to security
     implications. The rxvt graphics mode was removed in rxvt-unicode 1.5,
     and no programs relying on being able to query the mode are known.
   - work around API change breakage in perl 5.28, based on a patch by Roman
     Bogorodskiy.
   - improved security: rob nation's (obsolete) graphics mode queries no
     longer reply with linefeed in secure/default mode.
   - ISO 8613-3 direct colour SGR sequences (patch by Fengguang Wu).
   - xterm focus reporting mode (patch by Daniel Hahler).
   - xterm SGR mouse mode.
   - implement DECRQM. Patch by Přemysl Eric Janouch.
   - add missing color index parameter to OSC 4 response. Patch by Přemysl
     Eric Janouch.
   - in some window managers, if smart resize was enabled, urxvt erroneously
     moved the window on font change - awesome bug #532, arch linux bug
     ##34807 (patch by Uli Schlachter).
   - fix urxvtd crash when using a background expression.
   - properly restore colors when using fading and reverse video is enabled
     while urxvt is focused and then disabled while it is not focused, or
     vice versa (patch by Daniel Hahler).
   - fix high memory usage when an extension repeatedly hides and shows an
     overlay (reported by Marcel Lautenbach).
   - expose priv_modes member and constants to perl extensions (patch by
     Rastislav Barlik).
   - fix a whole slew of const sillyness, unfortunately forced upon us by ISO
     C++.
   - update to libecb 0x00010006.
   - disable all thread support in ecb.h as we presumably don't need it.
   - slightly improve Makefile source dependencies.
   - work around bugs in newer Pod::Xhtml versions (flags incorrect
     formatting codes in xhtml/html sections but does not interpret correct
     ones).
   - New file: /usr/bin/urclock
   - restore the -256color binaries


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10222=1

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-10222=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

      rxvt-unicode-9.26-bp154.2.3.1
      rxvt-unicode-debuginfo-9.26-bp154.2.3.1
      rxvt-unicode-debugsource-9.26-bp154.2.3.1

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      rxvt-unicode-9.26-bp153.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2008-1142.html
   https://www.suse.com/security/cve/CVE-2021-33477.html
   https://bugzilla.suse.com/1186174

openSUSE: 2022:10222-1 important: rxvt-unicode

November 30, 2022
An update that fixes two vulnerabilities is now available

Description

This update for rxvt-unicode fixes the following issues: Update to 9.26 - ev_iouring.c was wrongly required during compilation, and wrongly not packaged. Update to 9.25 (boo#1186174 CVE-2021-33477) - for the 17.5th anniversary, and because many distributions seem to remove rxvt in favour of urxvt, this release resurrects rclock as urclock. - add support for systemd socket-based activation - debian bug #917105, freebsd bug #234276. - do not destruct perl on exit anymore: this might fail for a variety of reasons, and takes unneccessary time. - remove any macros from urxvtperl manpage(s), should fix debian bug 858385. - the old bg image resources are now provided by the background extension, and perl is thus required for bg image support. No configuration change is needed: urxvt autoloads the background ext if any bg image resource/option is present (for OSC sequences to work you need to enable it explicity). The old bg image resources are also now deprecated; users are encouraged to switch to the new bg image interface (see man urxvt-background). - confirm-paste now checks for any ctlchars, not just newlines. - searchable scrollback will now ignore bracketed paste mode sequences (prompted by Daniel Gröber's patch). - drop ISO 2022 locale support. ISO 2022 encodings are not supported in POSIX locales and clash with vt100 charset emulation (the luit program can be used as a substitute). - perl didn't parse rgba colours specified as an array correctly, only allowing 0 and 100% intensity for each component (this affected fill and tint). - when iterating over resources, urxvt will now try to properly handle multipart resources (such as "*background.expr"), for the benefit of autoloading perl extensions. - ESC G (query rxvt graphics mode) has been disabled due to security implications. The rxvt graphics mode was removed in rxvt-unicode 1.5, and no programs relying on being able to query the mode are known. - work around API change breakage in perl 5.28, based on a patch by Roman Bogorodskiy. - improved security: rob nation's (obsolete) graphics mode queries no longer reply with linefeed in secure/default mode. - ISO 8613-3 direct colour SGR sequences (patch by Fengguang Wu). - xterm focus reporting mode (patch by Daniel Hahler). - xterm SGR mouse mode. - implement DECRQM. Patch by Přemysl Eric Janouch. - add missing color index parameter to OSC 4 response. Patch by Přemysl Eric Janouch. - in some window managers, if smart resize was enabled, urxvt erroneously moved the window on font change - awesome bug #532, arch linux bug ##34807 (patch by Uli Schlachter). - fix urxvtd crash when using a background expression. - properly restore colors when using fading and reverse video is enabled while urxvt is focused and then disabled while it is not focused, or vice versa (patch by Daniel Hahler). - fix high memory usage when an extension repeatedly hides and shows an overlay (reported by Marcel Lautenbach). - expose priv_modes member and constants to perl extensions (patch by Rastislav Barlik). - fix a whole slew of const sillyness, unfortunately forced upon us by ISO C++. - update to libecb 0x00010006. - disable all thread support in ecb.h as we presumably don't need it. - slightly improve Makefile source dependencies. - work around bugs in newer Pod::Xhtml versions (flags incorrect formatting codes in xhtml/html sections but does not interpret correct ones). - New file: /usr/bin/urclock - restore the -256color binaries

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10222=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10222=1


Package List

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): rxvt-unicode-9.26-bp154.2.3.1 rxvt-unicode-debuginfo-9.26-bp154.2.3.1 rxvt-unicode-debugsource-9.26-bp154.2.3.1 - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): rxvt-unicode-9.26-bp153.2.3.1


References

https://www.suse.com/security/cve/CVE-2008-1142.html https://www.suse.com/security/cve/CVE-2021-33477.html https://bugzilla.suse.com/1186174


Severity
Announcement ID: openSUSE-SU-2022:10222-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 .

Related News