[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CERT* VB-98.04: Vulnerabilities in xterm and Xaw

On Tue, Apr 28, 1998 at 12:45:33PM -0500, Branden Robinson wrote:

> Well, the reason xterm is setuid is because it needs privileged access to
> the utmp file.  However, this is presently a problem under some
> circumstances (see bug #20685).

I understand it also needs it to allocate a pty.

> XFree86 3.3.2-4 is shipping with an /etc/X11/XResources that sets
> XTerm*utmpInhibit to true.  Is it the consensus of the project that xterm
> should have its setuid removed until this bug (#20685) is fixed?

There's a good fix for that bug, which also removes any security holes. I've
dug up the URL for the wrapper I mentioned.

	http://www-uxsup.csx.cam.ac.uk/~pjb1008/project/xterm-wrapper/

> Let me know quickly (especially if any of you know any additional reason
> xterm is setuid).  If I turn it off then I will want to do so for -5, which
> I'd like to release within the next 24 hours.

Yes, do turn it off.


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: