Upstream information

CVE-2008-1142 at MITRE

Description

rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 3.7
Vector AV:L/AC:H/Au:N/C:P/I:P/A:P
Access Vector Local
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 415661 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Software Development Kit 11 SP4
  • rxvt-unicode >= 9.05-1.19.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 11 SP4 GA rxvt-unicode
openSUSE 11.0
  • rxvt-unicode-debuginfo >= 9.02-14.2
  • rxvt-unicode-debugsource >= 9.02-14.2
openSUSE 11.0
  • rxvt-unicode >= 9.02-14.2
openSUSE Leap 15.0
  • rxvt-unicode >= 9.22-lp150.2.1
Patchnames:
openSUSE Leap 15.0 GA rxvt-unicode
openSUSE Leap 42.1
  • rxvt-unicode >= 9.21-4.6
Patchnames:
openSUSE Leap 42.1 GA rxvt-unicode
openSUSE Leap 42.2
  • rxvt-unicode >= 9.21-5.26
Patchnames:
openSUSE Leap 42.2 GA rxvt-unicode
openSUSE Leap 42.3
  • rxvt-unicode >= 9.21-8.2
Patchnames:
openSUSE Leap 42.3 GA rxvt-unicode
openSUSE Tumbleweed
  • rxvt-unicode >= 9.22-1.1
Patchnames:
openSUSE Tumbleweed GA rxvt-unicode