What is CVE-2022-4170?

CVE-2022-4170 is a vulnerability in the rxvt-unicode package that allows remote code execution when an attacker can control the data written to the user's terminal and certain options are set.

How severe is CVE-2022-4170?

CVE-2022-4170 has a severity rating of 9.8 (Critical).

Which software versions are affected by CVE-2022-4170?

The affected versions include rxvt-unicode 9.25 and 9.26, Extra Packages for Enterprise Linux 8.0, and Fedora 37.

How can I fix CVE-2022-4170?

To fix CVE-2022-4170, it is recommended to upgrade to rxvt-unicode version 9.30 or higher.

Where can I find more information about CVE-2022-4170?

Additional information can be found at the following references: [link1](https://bugzilla.redhat.com/show_bug.cgi?id=2151597), [link2](https://www.openwall.com/lists/oss-security/2022/12/05/1), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2151598).

Vulnerability/
CVE-2022-4170

critical

9.8

CWE

7/12/2022

9/12/2022

3/8/2024

CVE-2022-4170

First published: Wed Dec 07 2022(Updated: )

rxvt-unicode 9.25 and 9.26 are vulnerable to remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. The "background" extension is automatically loaded if certain X resources are set such as 'transparent' (see the full list at the top of src/perl/background). So it is possible to be using this extension without realizing it. This is accidentally fixed on version 9.30, and 9.29, it appears to not be exploitable, but only due to another bug (not a security bug). The actual bug which makes this not vulnerable on 9.30 is simply a wrong number in "on_osc_seq".

Credit: patrick@puiterwijk.org patrick@puiterwijk.org

Affected Software	Affected Version	How to fix
Rxvt-unicode Project Rxvt-unicode	=9.25
Rxvt-unicode Project Rxvt-unicode	=9.26
Fedoraproject Extra Packages For Enterprise Linux	=8.0
Fedoraproject Fedora	=37
redhat/rxvt-unicode	<9.30	9.30

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-4170?
CVE-2022-4170 is a vulnerability in the rxvt-unicode package that allows remote code execution when an attacker can control the data written to the user's terminal and certain options are set.
How severe is CVE-2022-4170?
CVE-2022-4170 has a severity rating of 9.8 (Critical).
Which software versions are affected by CVE-2022-4170?
The affected versions include rxvt-unicode 9.25 and 9.26, Extra Packages for Enterprise Linux 8.0, and Fedora 37.
How can I fix CVE-2022-4170?
To fix CVE-2022-4170, it is recommended to upgrade to rxvt-unicode version 9.30 or higher.
Where can I find more information about CVE-2022-4170?
Additional information can be found at the following references: [link1](https://bugzilla.redhat.com/show_bug.cgi?id=2151597), [link2](https://www.openwall.com/lists/oss-security/2022/12/05/1), [link3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2151598).

collector/nvd-index
collector/nvd-api
agent/author
agent/type
agent/event
agent/first-publish-date
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/severity
agent/weakness
agent/description
agent/tags
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-4170
agent/software-canonical-lookup
vendor/rxvt-unicode project
canonical/rxvt-unicode project rxvt-unicode
version/rxvt-unicode project rxvt-unicode/9.25
version/rxvt-unicode project rxvt-unicode/9.26
vendor/fedoraproject
canonical/fedoraproject extra packages for enterprise linux
version/fedoraproject extra packages for enterprise linux/8.0
canonical/fedoraproject fedora
version/fedoraproject fedora/37
package-manager/redhat