1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202209-25 ] Zutty: Arbitrary Code Execution

    From glsamaker@gentoo.org@21:1/5 to All on Thu Sep 29 16:50:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202209-25
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: Zutty: Arbitrary Code Execution
    Date: September 29, 2022
    Bugs: #868495
    ID: 202209-25

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Zutty which could allow for
    arbitrary code execution.

    Background
    ==========

    Zutty is an X terminal emulator rendering through OpenGL ES Compute
    Shaders.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 x11-terms/zutty < 0.13 >= 0.13

    Description
    ===========

    Zutty does not correctly handle invalid DECRQSS commands, which can be exploited to run arbitrary commands in the terminal.

    Impact
    ======

    Untrusted text written to the Zutty terminal can achieve arbitrary code execution.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Zutty users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=x11-terms/zutty-0.13"

    References
    ==========

    [ 1 ] CVE-2022-41138
    https://nvd.nist.gov/vuln/detail/CVE-2022-41138

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202209-25

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmM1qroACgkQFMQkOaVy +9l8GxAAq5ZSmw4qYExfZi7Fqy36Fb2bPvcEmcxRwV+gNO5kL6XCweXBjHrSCA+0 W4ujdKjT6cqW/kjRE977ClKgRst8nm0zmGyEX7ldrceJ/DPx7nZcSBp4Xz9Qjg3Q 5VSFDuJZivY4+aitq70K9C9TWDYvLGPtqBQVd2dvqjq+/2ANexci7LOetsAbvfVQ O+Gpw/pwlUD2s3meNqouHrRKaa0cFAAm4CigWJOzf4n3eexYclCJFkHAUsWl3SKv 1sknqx2A4wQ+C+XOLGFlt2ldu1BzY8P+nCfnYevVczLcTUynZIDDurO7EyJDrET5 Cz1s43TugCo6BsqjP1hK5F161uaiRuxARCmKI966N2G+YG7l5Y/pk+VsTFOI3Ri7 yNcmGQpmK4jOxJPnJmIS8bV1mFJZsOZ8D7mCkx2cOOKdcrunlIY4S44qMk8clYTy 9RxlcJStjPtDO3/R5o5FhqgU8TYUODjhpU+zA6SPeVxK2DlOkC/0YSSp8NNLh6hw bgqZyhNTnYQtMdGCOMjhqLFN5WMd994a9InSJaFLeyXvaJAY3mYer3l1jxOox5Pg AAah8vaFSJmFhj1PWSCxwWgpssB7M0Wg27Ks5+ltjU7ddf21iMJn+/fE7MAeTvhm n8zJ1Twv6jRtg7p0ptuG9c+Ag7OjZRjYnwCw9+CT1NNl8c/Az4o=
    =U0Cm
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)