Package: xterm Version: 210-3 Severity: grave Tags: security patch Justification: user security hole
Hi, There are some concerns with the window operations that XTerm emulates. CSI 21t (report window title) in particular, because since OSC 0/1/2 ST let you decide of the window title, one can decide what CSI 21t returns, which might then be read by the user's shell as a command to execute. The "xterm-security" attached file is an example of how this might be exploited: just "cat" it from any shell running in uxterm or xterm, ls gets executed. I know, "people should be capable of using a pager to view log-files." But people are not necessarily aware that displaying a mere file in a terminal might have such nefarious effect. So I'm wondering whether it might be preferable to disable allowWindowOps by default (the proposed patch does this), or at least add a new resource (disabled by default) for selectively enabling CSI 21t if the user really wants it. Another possibility would be to disable \n in titles that are accepted, but that doesn't prevent other possible attacks. Note: among other x terminal emulators, I haven't found any other that implement CSI 21t, so only xterm seems to need patching. Samuel -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages xterm depends on: ii libc6 2.3.6-15 GNU C Library: Shared libraries ii libfontconfig1 2.3.2-7 generic font configuration library ii libice6 1:1.0.0-3 X11 Inter-Client Exchange library ii libncurses5 5.5-2 Shared libraries for terminal hand ii libsm6 1:1.0.0-4 X11 Session Management library ii libx11-6 2:1.0.0-8 X11 client-side library ii libxaw7 1:1.0.1-5 X11 Athena Widget library ii libxext6 1:1.0.0-4 X11 miscellaneous extension librar ii libxft2 2.1.8.2-8 FreeType-based font drawing librar ii libxmu6 1:1.0.1-3 X11 miscellaneous utility library ii libxt6 1:1.0.0-5 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2 Base X bitmaps Versions of packages xterm recommends: ii xutils 1:7.1.ds-1 X Window System utility programs -- no debconf information -- Samuel Thibault <[EMAIL PROTECTED]> What's this script do? unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep Hint for the answer: not everything is computer-oriented. Sometimes you're in a sleeping bag, camping out. (Contributed by Frans van der Zande.)
diff -ur xterm-210-debian/XTerm.ad xterm-210/XTerm.ad --- xterm-210-debian/XTerm.ad 2006-03-13 02:27:57.000000000 +0100 +++ xterm-210/XTerm.ad 2006-08-25 11:38:40.000000000 +0200 @@ -186,3 +186,5 @@ ! ! Alternatively, !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./[EMAIL PROTECTED]|(%[[:xdigit:]][[:xdigit:]]))+ + +*allowWindowOps: false
xterm-security
Description: Binary data