CVE-2022-4170

NameCVE-2022-4170
DescriptionThe rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1025489

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rxvt-unicode (PTS)buster9.22-6+deb10u1fixed
bullseye9.22-11fixed
bookworm9.30-2vulnerable
sid, trixie9.31-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
rxvt-unicodesourcebuster(not affected)
rxvt-unicodesourcebullseye(not affected)
rxvt-unicodesource(unstable)9.31-11025489

Notes

[bookworm] - rxvt-unicode <no-dsa> (Minor issue)
[bullseye] - rxvt-unicode <not-affected> (Vulnerable code introduced later)
[buster] - rxvt-unicode <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2022/12/05/1
http://cvs.schmorp.de/rxvt-unicode/src/perl/background?r1=1.105&r2=1.109
Not exploitable due to a bug since 9.30 upstream
Search for package or bug name: Reporting problems