--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: xterm: DECRQSS and comments
- From: Paul Szabo <psz@maths.usyd.edu.au>
- Date: Mon, 29 Dec 2008 07:24:07 +1100
- Message-id: <20081228202407.16058.26361.reportbug@bari.maths.usyd.edu.au>
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole
DECRQSS Device Control Request Status String "DCS $ q" simply echoes
(responds with) invalid commands. For example,
perl -e 'print "\eP\$q\nbad-command\n\e\\"'
would run bad-command.
Exploitability is the same as for the "window title reporting" issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.
The attached patch should fix the problem.
---
The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
"grep PSz main.c" remains).
---
Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
---
I wonder whether the following are handled and/or dangerous:
set X property perl -e 'print "\e\]3;XTerm.vt100.allowWindowOps=1\e\\"'
set, get font perl -e 'print "\e\]50;bad-command\e\\","\e\]50;?\e\\"'
UDK setting perl -e 'print "\eP1;1|17/0a6261642d636f6d6d616e640a\e\\"'
then trick user to press F key, or
perl -e 'print "\eP+q584b5f434f4c524f53\e\\"'
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages xterm depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxaw7 1:1.0.2-4 X11 Athena Widget library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii xbitmaps 1.0.1-2 Base X bitmaps
Versions of packages xterm recommends:
ii xutils 1:7.1.ds.3-1 X Window System utility programs
-- no debconf information
--- misc.c.bak 2006-10-18 07:23:20.000000000 +1000
+++ misc.c 2008-12-29 07:06:25.000000000 +1100
@@ -2259,11 +2259,12 @@
unparseputc1(xw, DCS);
unparseputc(xw, okay ? '1' : '0');
unparseputc(xw, '$');
unparseputc(xw, 'r');
- if (okay)
+ if (okay) {
cp = reply;
- unparseputs(xw, cp);
+ unparseputs(xw, cp);
+ }
unparseputc1(xw, ST);
} else {
unparseputc(xw, CAN);
}
--- End Message ---
--- Begin Message ---
Source: xterm
Source-Version: 238-1
We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive:
xterm_238-1.diff.gz
to pool/main/x/xterm/xterm_238-1.diff.gz
xterm_238-1.dsc
to pool/main/x/xterm/xterm_238-1.dsc
xterm_238-1_i386.deb
to pool/main/x/xterm/xterm_238-1_i386.deb
xterm_238.orig.tar.gz
to pool/main/x/xterm/xterm_238.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 510030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xterm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 03 Jan 2009 17:35:46 +0100
Source: xterm
Binary: xterm
Architecture: source i386
Version: 238-1
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
xterm - X terminal emulator
Closes: 510030
Changes:
xterm (238-1) unstable; urgency=low
.
* New upstream release.
+ respond to incorrectly formatted DECRQSS with a cancel
(closes: #510030). Reference: CVE-2008-2383.
* Default the allowWindowOps and allowFontOps resources to false, to prevent
potential security issues. Thanks to Paul Szabo.
Checksums-Sha1:
93a0b99ae36b2de61ed2f179d9959feba2a6caf5 1344 xterm_238-1.dsc
fef9376398b6bca40fed9372af64f08c957c1654 862288 xterm_238.orig.tar.gz
6ef3a6bab3c93fedb8b79b2445c6b981c4dec71f 63166 xterm_238-1.diff.gz
072c8b4cd9642aa827046aa4ade4873f4e273b12 479828 xterm_238-1_i386.deb
Checksums-Sha256:
a3178d548916c64278ec3b952066b8e8fe3bc86c90b9e3e3f6b68ff34f5d98b5 1344 xterm_238-1.dsc
07957a677c8b8bb33d1aa2b14b3596386cbbf0bba658aeadf6476488bf297f8b 862288 xterm_238.orig.tar.gz
98911b4bb833b3a7e886f3f571a4450e0f968e779ae024a72acfb8673961ed66 63166 xterm_238-1.diff.gz
5a1dd1895b612452a87555319ba16d3e15ac555d491925a16fcd96ed9597e5e3 479828 xterm_238-1_i386.deb
Files:
48ce7bd294d18ad0392e73b073daa41f 1344 x11 optional xterm_238-1.dsc
754f670723eb9a20f9f90d7c5f4a5bad 862288 x11 optional xterm_238.orig.tar.gz
3a9924c51f48188b2553cb8f758d0ee3 63166 x11 optional xterm_238-1.diff.gz
286da6762059b87589dd7e29e8d03b02 479828 x11 optional xterm_238-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklflj4ACgkQmEvTgKxfcAwc/ACfR5TjnHICgc2b4fvVgTx+glz0
hcAAn0UBOkBKEU6hO6LGE5Pd56qcCTfP
=Ztyg
-----END PGP SIGNATURE-----
--- End Message ---