Bug#473127: marked as done (eterm: opens window on unspecified display)

Tue, 15 Apr 2008 11:05:02 -0700 

Your message dated Tue, 15 Apr 2008 17:47:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#473127: fixed in eterm 0.9.4.0debian1-2.1
has caused the Debian Bug report #473127,
regarding eterm: opens window on unspecified display
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
473127: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473127
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: eterm
Version: 0.9.4.0debian1-2
Severity: important
Tags: security patch

When no -display is given and DISPLAY is not set, Eterm tries :0.
That is both a security issue on multi-user systems (see
http://article.gmane.org/gmane.comp.security.oss.general/122
for the description of an attack vector) and otherwise still annoying
as it causes the error message to be delayed quite a bit.

Hochachtungsvoll,
        Bernhard R. Link

diff -ruN eterm-0.9.4.0debian1.original/src/startup.c 
eterm-0.9.4.0debian1/src/startup.c
--- eterm-0.9.4.0debian1.original/src/startup.c 2006-08-22 20:23:12.000000000 
+0200
+++ eterm-0.9.4.0debian1/src/startup.c  2008-03-28 13:51:44.000000000 +0100
@@ -95,11 +95,7 @@
     init_libast();
 
     /* Open display, get options/resources and create the window */
-    if (getenv("DISPLAY") == NULL) {
-        display_name = STRDUP(":0");
-    } else {
-        display_name = STRDUP(getenv("DISPLAY"));
-    }
+    display_name = NULL;
 
     /* This MUST be called before any other Xlib functions */
 #ifdef SPIFOPT_SETTING_PREPARSE
@@ -116,7 +112,9 @@
     privileges(REVERT);
 #endif
     if (!Xdisplay && !(Xdisplay = XOpenDisplay(display_name))) {
-        libast_print_error("can't open display %s\n", display_name);
+        libast_print_error("can't open display %s\n", 
display_name?display_name:
+                       getenv("DISPLAY")?getenv("DISPLAY"):
+                       "as no --display given and DISPLAY not set");
         exit(EXIT_FAILURE);
     }
     XSetErrorHandler((XErrorHandler) xerror_handler);

--- End Message ---
--- Begin Message --- 
Source: eterm
Source-Version: 0.9.4.0debian1-2.1

We believe that the bug you reported is fixed in the latest version of
eterm, which is due to be installed in the Debian FTP archive:

eterm_0.9.4.0debian1-2.1.diff.gz
  to pool/main/e/eterm/eterm_0.9.4.0debian1-2.1.diff.gz
eterm_0.9.4.0debian1-2.1.dsc
  to pool/main/e/eterm/eterm_0.9.4.0debian1-2.1.dsc
eterm_0.9.4.0debian1-2.1_amd64.deb
  to pool/main/e/eterm/eterm_0.9.4.0debian1-2.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated eterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 15 Apr 2008 19:15:59 +0200
Source: eterm
Binary: eterm
Architecture: source amd64
Version: 0.9.4.0debian1-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description: 
 eterm      - Enlightened Terminal Emulator
Closes: 473127
Changes: 
 eterm (0.9.4.0debian1-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix opening the terminal on display :0 if no DISPLAY environment
     variable is specified to prevent local attackers from highjacking
     X11 connections in certain environments (CVE-2008-1692; Closes: #473127)
Checksums-Sha1: 
 7a43a0e32040e18113635ada58064ae77bdfd3cf 1136 eterm_0.9.4.0debian1-2.1.dsc
 7fe44b7626d9985f66d85a42bb3ec347d2e5ae6f 11382 eterm_0.9.4.0debian1-2.1.diff.gz
 c8a42053f44ec14e735adc0d4719cdf3e8b63678 454846 
eterm_0.9.4.0debian1-2.1_amd64.deb
Checksums-Sha256: 
 714a638404b51743d1c1a99353173ef154e5b368c862f5347a1bf6739aadee5f 1136 
eterm_0.9.4.0debian1-2.1.dsc
 1ca25f90c14fadfc8667e66929a36669383672ef8cdf3961c2422b1017506623 11382 
eterm_0.9.4.0debian1-2.1.diff.gz
 9cd696aeb26316916714c5a49f6506d6bdc330c8df775969a2ab59fc01e97101 454846 
eterm_0.9.4.0debian1-2.1_amd64.deb
Files: 
 a8869a72dd462d7abb798d12e5177d71 1136 x11 optional eterm_0.9.4.0debian1-2.1.dsc
 2dff444585f99a92dddad809f1786a3c 11382 x11 optional 
eterm_0.9.4.0debian1-2.1.diff.gz
 5d14416e6bb5caecbd0aec3efd44519b 454846 x11 optional 
eterm_0.9.4.0debian1-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIBOYuHYflSXNkfP8RAifYAJ9ZIm2XuZrIXjE+GiHknfTlLtGjHwCdGJLK
k+7kqNOK//BRIIL2Ys65XCc=
=R37E
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to