[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)

Your message dated Mon, 05 Jan 2009 12:02:07 +0000
with message-id <E1LJo9n-00007p-OP@ries.debian.org>
and subject line Bug#510030: fixed in xterm 235-2
has caused the Debian Bug report #510030,
regarding [CVE-2008-2383] xterm: DECRQSS and comments
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole


DECRQSS Device Control Request Status String "DCS $ q" simply echoes
(responds with) invalid commands. For example,
perl -e 'print "\eP\$q\nbad-command\n\e\\"'
would run bad-command.

Exploitability is the same as for the "window title reporting" issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.

The attached patch should fix the problem.

---

The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
"grep PSz main.c" remains).

---

Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'

---

I wonder whether the following are handled and/or dangerous:
set X property	perl -e 'print "\e\]3;XTerm.vt100.allowWindowOps=1\e\\"'
set, get font   perl -e 'print "\e\]50;bad-command\e\\","\e\]50;?\e\\"'
UDK setting	perl -e 'print "\eP1;1|17/0a6261642d636f6d6d616e640a\e\\"'
  then trick user to press F key, or
		perl -e 'print "\eP+q584b5f434f4c524f53\e\\"'


Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xterm depends on:
ii  libc6                  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libfontconfig1         2.4.2-1.2         generic font configuration library
ii  libice6                1:1.0.1-2         X11 Inter-Client Exchange library
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  libsm6                 1:1.0.1-3         X11 Session Management library
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxaw7                1:1.0.2-4         X11 Athena Widget library
ii  libxext6               1:1.0.1-2         X11 miscellaneous extension librar
ii  libxft2                2.1.8.2-8         FreeType-based font drawing librar
ii  libxmu6                1:1.0.2-2         X11 miscellaneous utility library
ii  libxt6                 1:1.0.2-2         X11 toolkit intrinsics library
ii  xbitmaps               1.0.1-2           Base X bitmaps

Versions of packages xterm recommends:
ii  xutils                      1:7.1.ds.3-1 X Window System utility programs

-- no debconf information

--- misc.c.bak	2006-10-18 07:23:20.000000000 +1000
+++ misc.c	2008-12-29 07:06:25.000000000 +1100
@@ -2259,11 +2259,12 @@
 	    unparseputc1(xw, DCS);
 	    unparseputc(xw, okay ? '1' : '0');
 	    unparseputc(xw, '$');
 	    unparseputc(xw, 'r');
-	    if (okay)
+	    if (okay) {
 		cp = reply;
-	    unparseputs(xw, cp);
+		unparseputs(xw, cp);
+	    }
 	    unparseputc1(xw, ST);
 	} else {
 	    unparseputc(xw, CAN);
 	}

--- End Message ---
--- Begin Message --- 
Source: xterm
Source-Version: 235-2

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive:

xterm_235-2.diff.gz
  to pool/main/x/xterm/xterm_235-2.diff.gz
xterm_235-2.dsc
  to pool/main/x/xterm/xterm_235-2.dsc
xterm_235-2_i386.deb
  to pool/main/x/xterm/xterm_235-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 Jan 2009 15:18:16 +0100
Source: xterm
Binary: xterm
Architecture: source i386
Version: 235-2
Distribution: testing-security
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 xterm      - X terminal emulator
Closes: 510030
Changes: 
 xterm (235-2) testing-security; urgency=high
 .
   * Backport changes from xterm 238:
     - make OSC 3 (change X property) subject to allowWindowOps resource
     - make VT220 DSR responses inactive in VT100-mode
     - make DECUDK feature inactive in VT100-mode
     - respond to incorrectly formatted DECRQSS with a cancel (CVE-2008-2383;
       closes: #510030)
     - add allowFontOps resource to allow the fontsize-switching and font
       query/set control sequences to be enabled/disabled
   * Additionally, change the default values for allowFontOps and
     allowWindowOps to false.
Checksums-Sha1: 
 551c5738c2edd7862c663e0c22510c1e5c2352e5 1344 xterm_235-2.dsc
 4d449a9e50e342e0b7a6deba9d713e6ba9323d1e 857714 xterm_235.orig.tar.gz
 e6005f418e6122e01bface73d3bfad03f677c73c 64638 xterm_235-2.diff.gz
 f381d42826974bd23d8f7bae4b6d1beb972d6eec 471456 xterm_235-2_i386.deb
Checksums-Sha256: 
 dea9f0458aeb907d98f2d4b1fcfa6a8ee8c44d795edb4d70943f7a7320113c33 1344 xterm_235-2.dsc
 c8a7ccb515b967a11dc2ac1061943cddbf0b6640de89f72590b1ff79e69a49cf 857714 xterm_235.orig.tar.gz
 225f117619c4294b295d742fa60a8433ccaa9924f2d5b3e23284c1b9aff9c8fb 64638 xterm_235-2.diff.gz
 0af69008cacf9b5e96b1ba93fb61ca12824e89c681148acb129a5d9b956ed22a 471456 xterm_235-2_i386.deb
Files: 
 1cd51bceadfae07f71d2fea60cf59eca 1344 x11 optional xterm_235-2.dsc
 5060cab9cef0ea09a24928f3c7fbde2b 857714 x11 optional xterm_235.orig.tar.gz
 9dbeb11f892c79ad17f1c3c23367605a 64638 x11 optional xterm_235-2.diff.gz
 dfa965c1f29ab512c12c266c97bd3616 471456 x11 optional xterm_235-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklhLOMACgkQmEvTgKxfcAyeYgCdGJ9nmosx3CpHA7a7YOEYQ4UH
Vi4AoNz+A/43/hTDVabEsIalKYc0NJ59
=Wbku
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: