Zutty: Arbitrary Code Execution — GLSA 202209-25

A vulnerability has been discovered in Zutty which could allow for arbitrary code execution.

Affected packages

x11-terms/zutty on all architectures
Affected versions < 0.13
Unaffected versions >= 0.13

Background

Zutty is an X terminal emulator rendering through OpenGL ES Compute Shaders.

Description

Zutty does not correctly handle invalid DECRQSS commands, which can be exploited to run arbitrary commands in the terminal.

Impact

Untrusted text written to the Zutty terminal can achieve arbitrary code execution.

Workaround

There is no known workaround at this time.

Resolution

All Zutty users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=x11-terms/zutty-0.13"
 

References

Release date
September 29, 2022

Latest revision
September 29, 2022: 1

Severity
normal

Exploitable
remote

Bugzilla entries