X Strike Force SVN commit: rev 468 - in branches/4.1.0/woody/debian: . patches
Author: branden
Date: 2003-09-02 14:41:52 -0500 (Tue, 02 Sep 2003)
New Revision: 468
Added:
branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
Modified:
branches/4.1.0/woody/debian/changelog
Log:
debian/patches/069_SECURITY_xterm_window_title_reporting.diff: disable xterm's
window title reporting escape sequence
debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff: fix term to ignore
malformed DEC UDK escape sequences instead of locking up
Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog 2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/changelog 2003-09-02 19:41:52 UTC (rev 468)
@@ -1,3 +1,16 @@
+xfree86 (4.1.0-16woody1) stable; urgency=high
+
+ * Security update release. Resolves the following issues:
+ + CAN-2003-0063 (xterm window title reporting can deceive user)
+ + CAN-2003-0071 (xterm susceptible to DEC UDK sequence DoS attack)
+
+ * patch #069: new; disable xterm's window title reporting escape sequence
+
+ * patch #070: new; fix term to ignore malformed DEC UDK escape sequences
+ instead of locking up
+
+ -- Branden Robinson <branden@debian.org> Tue, 2 Sep 2003 14:34:48 -0500
+
xfree86 (4.1.0-16) unstable; urgency=high
* patch #000_stolen_from_HEAD:
Added: branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff 2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff 2003-09-02 19:41:52 UTC (rev 468)
@@ -0,0 +1,39 @@
+> - Xterm, provided as part of the XFree86 packages, provides an escape
+> sequence for reporting the current window title. This escape sequence
+> essentially takes the current title and places it directly on the command
+> line. An attacker can craft an escape sequence that sets the victim's Xterm
+> window title to an arbitrary command, and then reports it to the command
+> line. Since it is not possible to embed a carriage return into the window
+> title, the attacker would then have to convince the victim to press Enter
+> for the shell to process the title as a command, although the attacker
+> could craft other escape sequences that might convince the victim to do so.
+> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
+> assigned the name CAN-2003-0063 to this issue.
+
+Thomas Dickey fixed this in XTerm #174, which was committed to XFree86
+CVS HEAD in 2003-02-25. XTerm #174 makes window title reporting a
+user-configurable option via the X resource allowWindowOps, which
+defaults off. This option is documented in the manual page as of that
+version.
+
+Red Hat's fix is to ignore the escape sequence that prints the window
+title.
+
+This is Red Hat's fix.
+
+--- xc/programs/xterm/charproc.c 2002-01-07 16:02:44.000000000 -0500
++++ xc/programs/xterm/charproc.c 2003-04-03 11:43:14.000000000 -0500
+@@ -3751,11 +3751,13 @@
+ break;
+
+ case 21: /* Report the window's title */
++#if 0
+ report_win_label(screen, 'l', &text,
+ XGetWMName(
+ screen->display,
+ VShellWindow,
+ &text));
++#endif
+ break;
+
+ default: /* DECSLPP (24, 25, 36, 48, 72, 144) */
Added: branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff 2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff 2003-09-02 19:41:52 UTC (rev 468)
@@ -0,0 +1,27 @@
+> - It is possible to lock up versions of Xterm by sending an invalid DEC
+> UDK escape sequence. (CAN-2003-0071)
+
+Thomas Dickey fixed this in XTerm #173, which was committed to XFree86
+CVS HEAD on 2003-02-06.
+
+This patch is derived from XTerm #173.
+
+--- xc/programs/xterm/misc.c 2001-10-23 21:21:24.000000000 -0400
++++ xc/programs/xterm/misc.c 2003-04-03 11:00:48.000000000 -0500
+@@ -1649,6 +1649,7 @@
+ reset_decudk();
+
+ while (*cp) {
++ char *base = cp;
+ char *str = (char *)malloc(strlen(cp) + 2);
+ unsigned key = 0;
+ int len = 0;
+@@ -1675,6 +1676,8 @@
+ }
+ if (*cp == ';')
+ cp++;
++ if (cp == base) /* badly-formed sequence - bail out */
++ break;
+ }
+ }
+ break;
Reply to: