Bug#511431: xterm: wishlist allowSecurityRiskOps, allowEscSeqs

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#511431: xterm: wishlist allowSecurityRiskOps, allowEscSeqs
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Sun, 11 Jan 2009 07:18:34 +1100
Message-id: <[🔎] 20090110201834.1568.4043.reportbug@bari.maths.usyd.edu.au>
Reply-to: Paul Szabo <psz@maths.usyd.edu.au>, 511431@bugs.debian.org

Package: xterm
Version: 222-1etch4
Severity: wishlist

Xterm uses allowWindowOps and allowFontOps, both defaulting to false,
see e.g.
 
  http://bugs.debian.org/510030
 
(and references therein about this being an old and recurring problem).
Both resources disable many useful operations, so some people explicitly
turn them on; but then they are exposed to security risks. As an
enhancement, I propose a new resource 
 
  allowSecurityRiskOps
 
which (alone or in conjuntion with allowWindowOps and allowFontOps)
would control security-relevant parts ("whacking" un-sanitized strings
into the input buffer, set X properties and UDK, maybe paste64, VT200
modes, or re-enable setting the answerback message). Then (most of) the
functionality of allowWindowOps and allowFontOps could safely be turned
on (maybe by default even?), and it would be clear what is dangerous.

---

Occasionally I foolishly do "cat binary-file" and get annoyed by the
"1;2c" in the input buffer and/or the need to shift-M2 "soft reset"
and/or "stty sane" to proceed. As an enhancement, I propose a new
resource
 
  allowEscSeqs
 
that would control interpretation of any ESC sequences (except maybe
arrow keys); then paranoid people (who have no use for VT100 features)
could turn that off.

---

I do not attach patches to implement the above, do not want another
rejection of "your code is incorrect".

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xterm depends on:
ii  libc6                  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libfontconfig1         2.4.2-1.2         generic font configuration library
ii  libice6                1:1.0.1-2         X11 Inter-Client Exchange library
ii  libncurses5            5.5-5             Shared libraries for terminal hand
ii  libsm6                 1:1.0.1-3         X11 Session Management library
ii  libx11-6               2:1.0.3-7         X11 client-side library
ii  libxaw7                1:1.0.2-4         X11 Athena Widget library
ii  libxext6               1:1.0.1-2         X11 miscellaneous extension librar
ii  libxft2                2.1.8.2-8         FreeType-based font drawing librar
ii  libxmu6                1:1.0.2-2         X11 miscellaneous utility library
ii  libxt6                 1:1.0.2-2         X11 toolkit intrinsics library
ii  xbitmaps               1.0.1-2           Base X bitmaps

Versions of packages xterm recommends:
ii  xutils                      1:7.1.ds.3-1 X Window System utility programs

-- no debconf information

Reply to:

Prev by Date: mesa: Changes to 'upstream-experimental'
Next by Date: mesa: Changes to 'debian-experimental'
Previous by thread: mesa: Changes to 'upstream-experimental'
Next by thread: Processed: setting package to libgl1-mesa-dri-dbg mesa libglu1-mesa libgl1-mesa-glx mesa-common-dev libgl1-mesa-swx11-i686 libgl1-mesa-swx11-dbg libgl1-mesa-swx11 libosmesa6-dev libglu1-mesa-dev libglw1-mesa libgl1-mesa-dri libglw1-mesa-dev libosmesa6 libgl1-mesa-swx11-dev libgl1-mesa-dev mesa-utils libgl1-mesa-glx-dbg ...
Index(es):
- Date
- Thread