Re: CERT* VB-98.04: Vulnerabilities in xterm and Xaw
On Tue, Apr 28, 1998 at 12:45:33PM -0500, Branden Robinson wrote:
> Well, the reason xterm is setuid is because it needs privileged access to
> the utmp file. However, this is presently a problem under some
> circumstances (see bug #20685).
I understand it also needs it to allocate a pty.
> XFree86 3.3.2-4 is shipping with an /etc/X11/XResources that sets
> XTerm*utmpInhibit to true. Is it the consensus of the project that xterm
> should have its setuid removed until this bug (#20685) is fixed?
There's a good fix for that bug, which also removes any security holes. I've
dug up the URL for the wrapper I mentioned.
http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/xterm-wrapper/
> Let me know quickly (especially if any of you know any additional reason
> xterm is setuid). If I turn it off then I will want to do so for -5, which
> I'd like to release within the next 24 hours.
Yes, do turn it off.
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: