Bug#384593: xterm: allowWindowOps should be disabled by default

[Samuel Thibault <samuel.thibault@ens-lyon.org>]

Package: xterm
Version: 210-3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

There are some concerns with the window operations that XTerm
emulates. CSI 21t (report window title) in particular, because since OSC
0/1/2 ST let you decide of the window title, one can decide what CSI 21t
returns, which might then be read by the user's shell as a command to
execute.  The "xterm-security" attached file is an example of how this
might be exploited: just "cat" it from any shell running in uxterm or
xterm, ls gets executed.

I know, "people should be capable of using a pager to view log-files."
But people are not necessarily aware that displaying a mere file in a
terminal might have such nefarious effect.  So I'm wondering whether it
might be preferable to disable allowWindowOps by default (the proposed
patch does this), or at least add a new resource (disabled by default)
for selectively enabling CSI 21t if the user really wants it.

Another possibility would be to disable \n in titles that are accepted,
but that doesn't prevent other possible attacks.

Note: among other x terminal emulators, I haven't found any other that
implement CSI 21t, so only xterm seems to need patching.

Samuel

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages xterm depends on:
ii  libc6                         2.3.6-15   GNU C Library: Shared libraries
ii  libfontconfig1                2.3.2-7    generic font configuration library
ii  libice6                       1:1.0.0-3  X11 Inter-Client Exchange library
ii  libncurses5                   5.5-2      Shared libraries for terminal hand
ii  libsm6                        1:1.0.0-4  X11 Session Management library
ii  libx11-6                      2:1.0.0-8  X11 client-side library
ii  libxaw7                       1:1.0.1-5  X11 Athena Widget library
ii  libxext6                      1:1.0.0-4  X11 miscellaneous extension librar
ii  libxft2                       2.1.8.2-8  FreeType-based font drawing librar
ii  libxmu6                       1:1.0.1-3  X11 miscellaneous utility library
ii  libxt6                        1:1.0.0-5  X11 toolkit intrinsics library
ii  xbitmaps                      1.0.1-2    Base X bitmaps

Versions of packages xterm recommends:
ii  xutils                        1:7.1.ds-1 X Window System utility programs

-- no debconf information

-- 
Samuel Thibault <samuel.thibault@ens-lyon.org>
What's this script do?
    unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
Hint for the answer: not everything is computer-oriented. Sometimes you're
in a sleeping bag, camping out.
(Contributed by Frans van der Zande.)

diff -ur xterm-210-debian/XTerm.ad xterm-210/XTerm.ad
--- xterm-210-debian/XTerm.ad	2006-03-13 02:27:57.000000000 +0100
+++ xterm-210/XTerm.ad	2006-08-25 11:38:40.000000000 +0200
@@ -186,3 +186,5 @@
 !
 ! Alternatively,
 !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./=?@~-]|(%[[:xdigit:]][[:xdigit:]]))+
+
+*allowWindowOps: false

Attachment: xterm-security
Description: Binary data