Re: [SECURITY] [DSA 1694-1] New xterm packages fix remote code execution

To: Peter Palfrader <weasel@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1694-1] New xterm packages fix remote code execution
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 02 Jan 2009 20:59:11 +0100
Message-id: <[🔎] 873ag1qy28.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20090102191442.GC19873@anguilla.noreply.org> (Peter Palfrader's message of "Fri, 2 Jan 2009 20:14:42 +0100")
References: <874p0hsf0f.fsf@mid.deneb.enyo.de> <[🔎] 20090102191442.GC19873@anguilla.noreply.org>

* Peter Palfrader:

> On Fri, 02 Jan 2009, Florian Weimer wrote:
>
>> As an additional precaution, this security update also disables font
>> changing
>
> Is this really ncessary?  I use that feature a lot and I rely on it for
> most of my desktop setup.  What are other (scriptable) means to change
> font size from within an xterm?

In theory, it should be possible to do this with an Editres client.
Unfortunately, the only such client appears to be editres, which is
not scriptable.

We could backport the allowFontOps change from xterm 238, but we'd
need a tester for that.

Reply to:

References:
- Re: [SECURITY] [DSA 1694-1] New xterm packages fix remote code execution
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: New xterm packages fix remote code execution
Next by Date: 398254 is a security bug (SUID permission is 755 instead of 700 during installation)
Previous by thread: Re: [SECURITY] [DSA 1694-1] New xterm packages fix remote code execution
Next by thread: Re: New xterm packages fix remote code execution
Index(es):
- Date
- Thread