Bug#402917: marked as done (xterm: Man page is incorrect regarding allowWindowOps)
Your message dated Sat, 9 Feb 2008 18:23:32 +0100
with message-id <20080209172328.GA24424@patate.is-a-geek.org>
and subject line Bug#402917: xterm: Man page is incorrect regarding allowWindowOps
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: xterm: Man page is incorrect regarding allowWindowOps
- From: Kevin L <kevinl@tamu.edu>
- Date: Wed, 13 Dec 2006 08:44:04 -0600
- Message-id: <200612130844.05175.kevinl@tamu.edu>
Package: xterm
Severity: grave
This is a side effect of bug 384593 regarding allowWindowOps which is now
closed. I have listed the severity as grave because bug 384593 was listed as
grave, and this new bug is a direct continuation of that one.
In bug 384593, the resource allowWindowOps was changed from default value true
to false to prevent shell exploits. However the current xterm man page
indicates that the standard behavior is still true:
allowWindowOps (class AllowWindowOps)
Specifies whether extended window control sequences (as used in
dtterm) for should be allowed. The default is ``true.''
The man page needs to be changed to reflect the Debian-specific behavior. I
suggest changing the text from "The default is ``true.''" to "For security
reasons, the default in Debian is ``false.''"
As the developer of a console-based terminal emulator that I tend to run
inside Xterm, this behavior surprised me. Fortunately, the user can fix it
and I have added documentation to my project accordingly.
As it stands now, Debian has made a behavior change to Xterm that deviates
from the "expected" (e.g. what is true most other places) default behavior
and the man page explicitly contradicts the Debian behavior. This is also
not mentioned in /usr/share/doc/xterm/README.Debian, perhaps it should be if
this will be a departure from upstream for a significant time.
$ dpkg -p xterm
Package: xterm
Priority: optional
Section: x11
Installed-Size: 980
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Architecture: i386
Version: 222-1
...
--- End Message ---
--- Begin Message ---
- To: Kevin L <kevinl@tamu.edu>, 402917-done@bugs.debian.org
- Subject: Re: Bug#402917: xterm: Man page is incorrect regarding allowWindowOps
- From: Julien Cristau <jcristau@debian.org>
- Date: Sat, 9 Feb 2008 18:23:32 +0100
- Message-id: <20080209172328.GA24424@patate.is-a-geek.org>
- In-reply-to: <200612130844.05175.kevinl@tamu.edu>
- References: <200612130844.05175.kevinl@tamu.edu>
Version: 223-2
On Wed, Dec 13, 2006 at 08:44:04 -0600, Kevin L wrote:
> Package: xterm
> Severity: grave
>
> This is a side effect of bug 384593 regarding allowWindowOps which is now
> closed. I have listed the severity as grave because bug 384593 was listed as
> grave, and this new bug is a direct continuation of that one.
>
> In bug 384593, the resource allowWindowOps was changed from default value true
> to false to prevent shell exploits. However the current xterm man page
> indicates that the standard behavior is still true:
>
xterm (223-2) unstable; urgency=low
* No longer disable allowWindowOps in XTerm.ad, as commands are now
sanitized by xterm (closes: #402917).
-- Julien Cristau <julien.cristau@ens-lyon.org> Thu, 14 Dec 2006 17:29:30 +0100
Closing this bug, for some reason it hasn't happened automatically.
Cheers,
Julien
--- End Message ---
Reply to: