CVE-2022-45063 In older versions of tmux, there was a font operation vulnerability that allowed command execution. This is no longer the case.

Before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: As a precaution, before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings: Before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings

Check for software updates

Before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: As a precaution, before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Fn-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings:-
Before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows:-
"Xterm*VT100.font: DejaVu Sans Mono:p:135:50:-*" This results in the vi command being executed when there is no key press on Ctrl-g

Debian-Based Systems

Debian-based systems, such as Ubuntu 16.04, require a patch to prevent accidental code execution.
Debian-based systems need to be patched before upgrading so that the vi command will not execute when the OSC response has Ctrl-g. Here is how you can apply this patch: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings

Check for vulnerable xterm server settings

If you're not sure which distribution you're running, the following command can help: "uname -a"

Check for X11 updates

Before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: Before upgrading, check any applicable distribution's xterm settings to avoid accidental code execution. For example, the vi line-editing mode of Ubuntu 16.04 is configured as follows: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings: "Xterm*VT100.font: DejaVu Sans Mono:p:135:50:*" This results in the vi command being executed when the OSC response has Ctrl-g. The same settings are used by some other distributions, such as Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 uses the following settings

Timeline

Published on: 11/10/2022 16:15:00 UTC
Last modified on: 11/23/2022 03:15:00 UTC

References

• https://invisible-island.net/xterm/xterm.log.html
• https://www.openwall.com/lists/oss-security/2022/11/10/1
• https://news.ycombinator.com/item?id=33546415
• http://www.openwall.com/lists/oss-security/2022/11/10/1
• http://www.openwall.com/lists/oss-security/2022/11/10/5
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVD3I2ZFXGOY6BA2FNS7WPFMPFBDHFWC/
• https://security.gentoo.org/glsa/202211-09
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5T2JI5JCHPTXX2KJU45H2XAHQSFVEJ2Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TPVNTYFFWNTGZJJQAA4MGGFSTXA4XEA/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45063