Hi, as far as I can see your patch is wrong cause it completely removes the usage of the DISPLAY variable.
Attached is a correct patch I will upload as NMU. It will be also archived on: http://people.debian.org/~nion/nmu-diff/eterm-0.9.4.0debian1-2_0.9.4.0debian1-2.1.patch BTW the -display option seems to be broken anyway, Eterm -display :0.0 doesn't work while DISPLAY=:0.0 Eterm does fine. I will not analyze this in more detail as it was broken before too. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u eterm-0.9.4.0debian1/debian/changelog eterm-0.9.4.0debian1/debian/changelog
--- eterm-0.9.4.0debian1/debian/changelog
+++ eterm-0.9.4.0debian1/debian/changelog
@@ -1,3 +1,12 @@
+eterm (0.9.4.0debian1-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix opening the terminal on display :0 if no DISPLAY environment
+ variable is specified to prevent local attackers from highjacking
+ X11 connections in certain environments (CVE-2008-1692; Closes: #473127)
+
+ -- Nico Golde <[EMAIL PROTECTED]> Tue, 15 Apr 2008 19:15:59 +0200
+
eterm (0.9.4.0debian1-2) unstable; urgency=low
* debian/copyright: uploaded wrong copy in 0.9.4.0debian1-1
only in patch2:
unchanged:
--- eterm-0.9.4.0debian1.orig/src/startup.c
+++ eterm-0.9.4.0debian1/src/startup.c
@@ -96,7 +96,8 @@
/* Open display, get options/resources and create the window */
if (getenv("DISPLAY") == NULL) {
- display_name = STRDUP(":0");
+ libast_print_error("can't open display, DISPLAY not set?!\n");
+ exit(EXIT_FAILURE);
} else {
display_name = STRDUP(getenv("DISPLAY"));
}
pgpMWtt9ybAfN.pgp
Description: PGP signature
