Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
tags 691642 - security thanks Hi, * Vincent Lefevre [2012-10-28 13:32]: > On 2012-10-28 11:37:58 +0100, Nico Golde wrote: [...] > > > In addition to possible data loss due to the crash, this is a security > > > problem, because the sequence may appear in a remote file. > > > > Sorry, I couldn't parse this sentence. What exactly are the security > > implications? So far I don't see how this qualifies for a security bug. > > If some external data (because they contain some unexpected byte > sequence) make a local program crash (so that user data are lost), > that's a security bug. Just like when you have a bug in the image > decoder used by your web browser that makes it crash on some image > files. That was exactly my point, this is not treated as a security bug in Debian, but a regular bug. Cheers Nico pgpDli3ful8MB.pgp Description: PGP signature
Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Hi, * Vincent Lefevre [2012-10-28 00:11]: > When cat'ing some binary file, my xterm crashed. I've managed to find > the cause: the mc5 terminfo sequence (prtr_on / turn on printer). The > problem can be reproduced with: > > 1. Run xterm from another terminal. > 2. Run the following command: > printf "\033[5i" >or > tput mc5 >The message "sh: 1: : Permission denied" appears in the first >terminal. I can't reproduce this with xterm 278-2 on amd64. [...] > In addition to possible data loss due to the crash, this is a security > problem, because the sequence may appear in a remote file. Sorry, I couldn't parse this sentence. What exactly are the security implications? So far I don't see how this qualifies for a security bug. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121028103757.gx17...@ngolde.de
Re: [Secure-testing-team] xorg-server update for lenny
Hi Julien, * Julien Cristau <[EMAIL PROTECTED]> [2008-01-19 13:07]: > as xorg-server 1.4 isn't ready to migrate, and won't be for some more > time, I prepared an updated package for testing-security. Oh thanks, that's really nice. > It fixes CVE-2007-5760, CVE-2007-5958, CVE-2007-6427, CVE-2007-6428, > CVE-2007-6429 and CVE-2008-0006, and will be on its way to klecker in a > few minutes. > I'm travelling right now, so in case something comes up please contact > [EMAIL PROTECTED] Thank you! I am going to check & release this as soon as all buildds pushed their packages to klecker. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpzPajhHmH8L.pgp Description: PGP signature
Re: xorg update in testing for CVE-2007-4730
Hi Julien, * Julien Cristau <[EMAIL PROTECTED]> [2007-10-20 12:14]: > On Sat, Oct 20, 2007 at 11:16:00 +0200, Nico Golde wrote: > > > Hi X Strike Force, > > The xorg version in testing is currently affected with the > > issue described in CVE-2007-4730[0]. > > > > For stable and unstable this has already been fixed. > > However the package is unlikely migrating to testing because > > of new RC bugs in the BTS which prevents this. > > > I've pushed this change to the debian-lenny branch of > git://git.debian.org/~jcristau/xorg-server [0], and am starting a build > right now. Thanks very much for your efforts! Please ping us then after uploading. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpHlomwNcAyy.pgp Description: PGP signature
xorg update in testing for CVE-2007-4730
Hi X Strike Force, The xorg version in testing is currently affected with the issue described in CVE-2007-4730[0]. For stable and unstable this has already been fixed. However the package is unlikely migrating to testing because of new RC bugs in the BTS which prevents this. Nonetheless it would be nice to have this fixed in testing too so the question is, would reuploading the unstable version to testing-security break setups or would this be a fairly unproblematic update? If it is, can you reupload it to "testing-security"? If yes, please see: http://secure-testing-master.debian.net/uploading.html and contact [EMAIL PROTECTED] after uploading. If you don't have the time but the update should be without problems we can also prepare this for you. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp1BfOf6zALp.pgp Description: PGP signature
Bug#286502: missing ] in /etc/init.d/xfs
Hello Adam, * Adam D. Barratt <[EMAIL PROTECTED]> [2004-12-20 23:25]: > package xfs > close 286502 > merge 286502 285133 > thanks > > On Monday, December 20, 2004 2:10 PM, Nico Golde <[EMAIL PROTECTED]> wrote: > > > Package: xfs > > Version: 4.3.0.dfsg.1-9 > > Severity: normal > > Tags: patch > > hi, > > there i a mistake in /etc/init.d/xfs: > > In fact, your patch is exactly what was done in 4.3.0.dfsg.1-10, to close > the > previous report of this bug (#285133). Closing this report as the fixed > packages are already in the archive. oh sorry, i just made the upgrade of my system in this evening. sorry. kind regards nico -- Nico Golde - [EMAIL PROTECTED] | GPG: 1024D/73647CFF ,'"`. [EMAIL PROTECTED] | http://www.ngolde.de ( grml.org VIM has two modes - the one in which it beeps`._,' and the one in which it doesn't -- encrypted mail preferred signature.asc Description: Digital signature
Bug#286502: missing ] in /etc/init.d/xfs
Package: xfs Version: 4.3.0.dfsg.1-9 Severity: normal Tags: patch hi, there i a mistake in /etc/init.d/xfs: sudo /etc/init.d/xfs restart Stopping X font server: xfs. Setting up X font server socket directory /tmp/.font-unix.../etc/init.d/xfs: line 24: [: missing `]' done. Starting X font server: xfs. i wrote a patch, it is in the attachment. regards nico -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.9 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) (ignored: LC_ALL set to [EMAIL PROTECTED]) Versions of packages xfs depends on: ii libc6 2.3.2.ds1-19 GNU C Library: Shared libraries an ii zlib1g 1:1.2.2-4compression library - runtime -- no debconf information -- Nico Golde - [EMAIL PROTECTED] | GPG: 1024D/73647CFF ,'"`. [EMAIL PROTECTED] | http://www.ngolde.de ( grml.org VIM has two modes - the one in which it beeps`._,' and the one in which it doesn't -- encrypted mail preferred --- /etc/init.d/xfs 2004-12-20 15:07:57.0 +0100 +++ xfs.patch 2004-12-20 15:07:25.0 +0100 @@ -21,7 +21,7 @@ set_up_socket_dir () { echo -n "Setting up X font server socket directory $SOCKET_DIR..." - if [ -e $SOCKET_DIR && ! [ -d $SOCKET_DIR ]; then + if [ -e $SOCKET_DIR ] && ! [ -d $SOCKET_DIR ]; then mv $SOCKET_DIR $SOCKET_DIR.$$ fi mkdir -p $SOCKET_DIR signature.asc Description: Digital signature