E CVS: Eterm mej

Wed, 14 May 2008 16:17:00 -0700 

Enlightenment CVS committal

Author  : mej
Project : eterm
Module  : Eterm

Dir     : eterm/Eterm/src


Modified Files:
        startup.c 


Log Message:
Wed May 14 16:09:04 2008                        Michael Jennings (mej)

(Correct) fix for CVE-2008-1692.  Eterm no longer defaults to using
":0" for $DISPLAY due to the possibility that an attacker can create a
fake X server on a shared system, intercept the Eterm X connection,
and send fake keystrokes to the victim's Eterm to execute arbitrary
commands as that user.

The previous fix, while it did indeed correct the vulnerability, broke
the --display option.  The original fix from Bernhard Link was more
correct, albeit not quite on target.
----------------------------------------------------------------------

===================================================================
RCS file: /cvs/e/eterm/Eterm/src/startup.c,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -3 -r1.59 -r1.60
--- startup.c   16 Apr 2008 03:23:27 -0000      1.59
+++ startup.c   14 May 2008 23:16:54 -0000      1.60
@@ -21,7 +21,7 @@
  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-static const char cvs_ident[] = "$Id: startup.c,v 1.59 2008/04/16 03:23:27 
vapier Exp $";
+static const char cvs_ident[] = "$Id: startup.c,v 1.60 2008/05/14 23:16:54 mej 
Exp $";
 
 #include "config.h"
 #include "feature.h"
@@ -95,13 +95,7 @@
     init_libast();
 
     /* Open display, get options/resources and create the window */
-    if (getenv("DISPLAY") == NULL) {
-        /* do not default to any display due to security issues -- vapier
-         * http://article.gmane.org/gmane.comp.security.oss.general/122
-         */
-        libast_print_error("can't open display: DISPLAY not set\n");
-        exit(EXIT_FAILURE);
-    } else {
+    if (getenv("DISPLAY") != NULL) {
         display_name = STRDUP(getenv("DISPLAY"));
     }
 
@@ -119,8 +113,10 @@
 #ifdef NEED_LINUX_HACK
     privileges(REVERT);
 #endif
+
     if (!Xdisplay && !(Xdisplay = XOpenDisplay(display_name))) {
-        libast_print_error("can't open display %s\n", display_name);
+        libast_print_error("Can't open display %s.  Set $DISPLAY or use 
--display\n",
+                           NONULL(display_name));
         exit(EXIT_FAILURE);
     }
     XSetErrorHandler((XErrorHandler) xerror_handler);



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
enlightenment-cvs mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/enlightenment-cvs

Reply via email to