X Strike Force SVN commit: rev 468 - in branches/4.1.0/woody/debian: . patches

To: debian-x@lists.debian.org
Subject: X Strike Force SVN commit: rev 468 - in branches/4.1.0/woody/debian: . patches
From: X Strike Force SVN Admin <branden@debian.org>
Date: Tue, 2 Sep 2003 14:42:03 -0500 (EST)
Message-id: <[🔎] 20030902194203.171E15C05A@necrotic.deadbeast.net>
Reply-to: debian-x@lists.debian.org

Author: branden
Date: 2003-09-02 14:41:52 -0500 (Tue, 02 Sep 2003)
New Revision: 468

Added:
   branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
   branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
Modified:
   branches/4.1.0/woody/debian/changelog
Log:
debian/patches/069_SECURITY_xterm_window_title_reporting.diff: disable xterm's
  window title reporting escape sequence
debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff: fix term to ignore
  malformed DEC UDK escape sequences instead of locking up


Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog	2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/changelog	2003-09-02 19:41:52 UTC (rev 468)
@@ -1,3 +1,16 @@
+xfree86 (4.1.0-16woody1) stable; urgency=high
+
+  * Security update release.  Resolves the following issues:
+    + CAN-2003-0063 (xterm window title reporting can deceive user)
+    + CAN-2003-0071 (xterm susceptible to DEC UDK sequence DoS attack)
+
+  * patch #069: new; disable xterm's window title reporting escape sequence
+
+  * patch #070: new; fix term to ignore malformed DEC UDK escape sequences
+    instead of locking up
+
+ -- Branden Robinson <branden@debian.org>  Tue,  2 Sep 2003 14:34:48 -0500
+
 xfree86 (4.1.0-16) unstable; urgency=high
 
   * patch #000_stolen_from_HEAD:

Added: branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff	2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff	2003-09-02 19:41:52 UTC (rev 468)
@@ -0,0 +1,39 @@
+> - Xterm, provided as part of the XFree86 packages, provides an escape
+> sequence for reporting the current window title. This escape sequence
+> essentially takes the current title and places it directly on the command
+> line. An attacker can craft an escape sequence that sets the victim's Xterm
+> window title to an arbitrary command, and then reports it to the command
+> line. Since it is not possible to embed a carriage return into the window
+> title, the attacker would then have to convince the victim to press Enter
+> for the shell to process the title as a command, although the attacker
+> could craft other escape sequences that might convince the victim to do so.
+> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
+> assigned the name CAN-2003-0063 to this issue.
+
+Thomas Dickey fixed this in XTerm #174, which was committed to XFree86
+CVS HEAD in 2003-02-25.  XTerm #174 makes window title reporting a
+user-configurable option via the X resource allowWindowOps, which
+defaults off.  This option is documented in the manual page as of that
+version.
+
+Red Hat's fix is to ignore the escape sequence that prints the window
+title.
+
+This is Red Hat's fix.
+
+--- xc/programs/xterm/charproc.c	2002-01-07 16:02:44.000000000 -0500
++++ xc/programs/xterm/charproc.c	2003-04-03 11:43:14.000000000 -0500
+@@ -3751,11 +3751,13 @@
+ 		break;
+ 
+ 	case 21:	/* Report the window's title */
++#if 0
+ 		report_win_label(screen, 'l', &text,
+ 			XGetWMName(
+ 				screen->display,
+ 				VShellWindow,
+ 				&text));
++#endif
+ 		break;
+ 
+ 	default: /* DECSLPP (24, 25, 36, 48, 72, 144) */

Added: branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff	2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff	2003-09-02 19:41:52 UTC (rev 468)
@@ -0,0 +1,27 @@
+> - It is possible to lock up versions of Xterm by sending an invalid DEC
+> UDK escape sequence. (CAN-2003-0071)
+
+Thomas Dickey fixed this in XTerm #173, which was committed to XFree86
+CVS HEAD on 2003-02-06.
+
+This patch is derived from XTerm #173.
+
+--- xc/programs/xterm/misc.c	2001-10-23 21:21:24.000000000 -0400
++++ xc/programs/xterm/misc.c	2003-04-03 11:00:48.000000000 -0500
+@@ -1649,6 +1649,7 @@
+ 				reset_decudk();
+ 
+ 			while (*cp) {
++				char *base = cp;
+ 				char *str = (char *)malloc(strlen(cp) + 2);
+ 				unsigned key = 0;
+ 				int len = 0;
+@@ -1675,6 +1676,8 @@
+ 				}
+ 				if (*cp == ';')
+ 					cp++;
++				if (cp == base) /* badly-formed sequence - bail out */
++					break;
+ 			}
+ 		}
+ 		break;

Reply to:

Prev by Date: X Strike Force SVN commit: rev 467 - branches/4.1.0/woody/debian
Next by Date: Bug#168794: synaptics support in XFree86
Previous by thread: X Strike Force SVN commit: rev 467 - branches/4.1.0/woody/debian
Next by thread: Bug#168794: synaptics support in XFree86
Index(es):
- Date
- Thread