SUSE 5149 Published by

A rxvt-unicode security update has been released for SUSE Linux Enterprise 15 SP3 and SP4.



openSUSE-SU-2022:10222-1: important: Security update for rxvt-unicode


openSUSE Security Update: Security update for rxvt-unicode
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:10222-1
Rating: important
References: #1186174
Cross-References: CVE-2008-1142 CVE-2021-33477
CVSS scores:
CVE-2021-33477 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP4
______________________________________________________________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for rxvt-unicode fixes the following issues:

Update to 9.26

- ev_iouring.c was wrongly required during compilation, and wrongly not
packaged.

Update to 9.25 (boo#1186174 CVE-2021-33477)

- for the 17.5th anniversary, and because many distributions seem to
remove rxvt in favour of urxvt, this release resurrects rclock as
urclock.
- add support for systemd socket-based activation - debian bug #917105,
freebsd bug #234276.
- do not destruct perl on exit anymore: this might fail for a variety of
reasons, and takes unneccessary time.
- remove any macros from urxvtperl manpage(s), should fix debian bug
858385.
- the old bg image resources are now provided by the background extension,
and perl is thus required for bg image support. No configuration change
is needed: urxvt autoloads the background ext if any bg image
resource/option is present (for OSC sequences to work you need to enable
it explicity). The old bg image resources are also now deprecated; users
are encouraged to switch to the new bg image interface (see man
urxvt-background).
- confirm-paste now checks for any ctlchars, not just newlines.
- searchable scrollback will now ignore bracketed paste mode sequences
(prompted by Daniel Gröber's patch).
- drop ISO 2022 locale support. ISO 2022 encodings are not supported in
POSIX locales and clash with vt100 charset emulation (the luit program
can be used as a substitute).
- perl didn't parse rgba colours specified as an array correctly,
only allowing 0 and 100% intensity for each component (this affected
fill and tint).
- when iterating over resources, urxvt will now try to properly handle
multipart resources (such as "*background.expr"), for the benefit
of autoloading perl extensions.
- ESC G (query rxvt graphics mode) has been disabled due to security
implications. The rxvt graphics mode was removed in rxvt-unicode 1.5,
and no programs relying on being able to query the mode are known.
- work around API change breakage in perl 5.28, based on a patch by Roman
Bogorodskiy.
- improved security: rob nation's (obsolete) graphics mode queries no
longer reply with linefeed in secure/default mode.
- ISO 8613-3 direct colour SGR sequences (patch by Fengguang Wu).
- xterm focus reporting mode (patch by Daniel Hahler).
- xterm SGR mouse mode.
- implement DECRQM. Patch by Přemysl Eric Janouch.
- add missing color index parameter to OSC 4 response. Patch by Přemysl
Eric Janouch.
- in some window managers, if smart resize was enabled, urxvt erroneously
moved the window on font change - awesome bug #532, arch linux bug
##34807 (patch by Uli Schlachter).
- fix urxvtd crash when using a background expression.
- properly restore colors when using fading and reverse video is enabled
while urxvt is focused and then disabled while it is not focused, or
vice versa (patch by Daniel Hahler).
- fix high memory usage when an extension repeatedly hides and shows an
overlay (reported by Marcel Lautenbach).
- expose priv_modes member and constants to perl extensions (patch by
Rastislav Barlik).
- fix a whole slew of const sillyness, unfortunately forced upon us by ISO
C++.
- update to libecb 0x00010006.
- disable all thread support in ecb.h as we presumably don't need it.
- slightly improve Makefile source dependencies.
- work around bugs in newer Pod::Xhtml versions (flags incorrect
formatting codes in xhtml/html sections but does not interpret correct
ones).
- New file: /usr/bin/urclock
- restore the -256color binaries

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2022-10222=1

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-10222=1


Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

rxvt-unicode-9.26-bp154.2.3.1
rxvt-unicode-debuginfo-9.26-bp154.2.3.1
rxvt-unicode-debugsource-9.26-bp154.2.3.1

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

rxvt-unicode-9.26-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2008-1142.html
  https://www.suse.com/security/cve/CVE-2021-33477.html
  https://bugzilla.suse.com/1186174