Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)

[Debian Bug Tracking System]

Your message dated Mon, 05 Jan 2009 12:02:07 +
with message-id e1ljo9n-7p...@ries.debian.org
and subject line Bug#510030: fixed in xterm 235-2
has caused the Debian Bug report #510030,
regarding [CVE-2008-2383] xterm: DECRQSS and comments
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole


DECRQSS Device Control Request Status String DCS $ q simply echoes
(responds with) invalid commands. For example,
perl -e 'print \eP\$q\nbad-command\n\e\\'
would run bad-command.

Exploitability is the same as for the window title reporting issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.

The attached patch should fix the problem.

---

The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
grep PSz main.c remains).

---

Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print \e\]0;;bad-command;\a\e\[21t'

---

I wonder whether the following are handled and/or dangerous:
set X property  perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\'
set, get font   perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\'
UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\'
  then trick user to press F key, or
perl -e 'print \eP+q584b5f434f4c524f53\e\\'


Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xterm depends on:
ii  libc6  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libfontconfig1 2.4.2-1.2 generic font configuration library
ii  libice61:1.0.1-2 X11 Inter-Client Exchange library
ii  libncurses55.5-5 Shared libraries for terminal hand
ii  libsm6 1:1.0.1-3 X11 Session Management library
ii  libx11-6   2:1.0.3-7 X11 client-side library
ii  libxaw71:1.0.2-4 X11 Athena Widget library
ii  libxext6   1:1.0.1-2 X11 miscellaneous extension librar
ii  libxft22.1.8.2-8 FreeType-based font drawing librar
ii  libxmu61:1.0.2-2 X11 miscellaneous utility library
ii  libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii  xbitmaps   1.0.1-2   Base X bitmaps

Versions of packages xterm recommends:
ii  xutils  1:7.1.ds.3-1 X Window System utility programs

-- no debconf information
--- misc.c.bak  2006-10-18 07:23:20.0 +1000
+++ misc.c  2008-12-29 07:06:25.0 +1100
@@ -2259,11 +2259,12 @@
unparseputc1(xw, DCS);
unparseputc(xw, okay ? '1' : '0');
unparseputc(xw, '$');
unparseputc(xw, 'r');
-   if (okay)
+   if (okay) {
cp = reply;
-   unparseputs(xw, cp);
+   unparseputs(xw, cp);
+   }
unparseputc1(xw, ST);
} else {
unparseputc(xw, CAN);
}
---End Message---
---BeginMessage---
Source: xterm
Source-Version: 235-2

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive:

xterm_235-2.diff.gz
  to pool/main/x/xterm/xterm_235-2.diff.gz
xterm_235-2.dsc
  to pool/main/x/xterm/xterm_235-2.dsc
xterm_235-2_i386.deb
  to pool/main/x/xterm/xterm_235-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian 

Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)

[Debian Bug Tracking System]

Your message dated Sat, 03 Jan 2009 17:02:10 +
with message-id e1lj9t4-0005wn...@ries.debian.org
and subject line Bug#510030: fixed in xterm 238-1
has caused the Debian Bug report #510030,
regarding [CVE-2008-2383] xterm: DECRQSS and comments
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole


DECRQSS Device Control Request Status String DCS $ q simply echoes
(responds with) invalid commands. For example,
perl -e 'print \eP\$q\nbad-command\n\e\\'
would run bad-command.

Exploitability is the same as for the window title reporting issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.

The attached patch should fix the problem.

---

The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
grep PSz main.c remains).

---

Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print \e\]0;;bad-command;\a\e\[21t'

---

I wonder whether the following are handled and/or dangerous:
set X property  perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\'
set, get font   perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\'
UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\'
  then trick user to press F key, or
perl -e 'print \eP+q584b5f434f4c524f53\e\\'


Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xterm depends on:
ii  libc6  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libfontconfig1 2.4.2-1.2 generic font configuration library
ii  libice61:1.0.1-2 X11 Inter-Client Exchange library
ii  libncurses55.5-5 Shared libraries for terminal hand
ii  libsm6 1:1.0.1-3 X11 Session Management library
ii  libx11-6   2:1.0.3-7 X11 client-side library
ii  libxaw71:1.0.2-4 X11 Athena Widget library
ii  libxext6   1:1.0.1-2 X11 miscellaneous extension librar
ii  libxft22.1.8.2-8 FreeType-based font drawing librar
ii  libxmu61:1.0.2-2 X11 miscellaneous utility library
ii  libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii  xbitmaps   1.0.1-2   Base X bitmaps

Versions of packages xterm recommends:
ii  xutils  1:7.1.ds.3-1 X Window System utility programs

-- no debconf information
--- misc.c.bak  2006-10-18 07:23:20.0 +1000
+++ misc.c  2008-12-29 07:06:25.0 +1100
@@ -2259,11 +2259,12 @@
unparseputc1(xw, DCS);
unparseputc(xw, okay ? '1' : '0');
unparseputc(xw, '$');
unparseputc(xw, 'r');
-   if (okay)
+   if (okay) {
cp = reply;
-   unparseputs(xw, cp);
+   unparseputs(xw, cp);
+   }
unparseputc1(xw, ST);
} else {
unparseputc(xw, CAN);
}
---End Message---
---BeginMessage---
Source: xterm
Source-Version: 238-1

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive:

xterm_238-1.diff.gz
  to pool/main/x/xterm/xterm_238-1.diff.gz
xterm_238-1.dsc
  to pool/main/x/xterm/xterm_238-1.dsc
xterm_238-1_i386.deb
  to pool/main/x/xterm/xterm_238-1_i386.deb
xterm_238.orig.tar.gz
  to pool/main/x/xterm/xterm_238.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510...@bugs.debian.org,
and 

Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)

[Debian Bug Tracking System]

Your message dated Sat, 03 Jan 2009 19:52:20 +
with message-id e1ljcxk-xa...@ries.debian.org
and subject line Bug#510030: fixed in xterm 222-1etch3
has caused the Debian Bug report #510030,
regarding [CVE-2008-2383] xterm: DECRQSS and comments
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole


DECRQSS Device Control Request Status String DCS $ q simply echoes
(responds with) invalid commands. For example,
perl -e 'print \eP\$q\nbad-command\n\e\\'
would run bad-command.

Exploitability is the same as for the window title reporting issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.

The attached patch should fix the problem.

---

The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
grep PSz main.c remains).

---

Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print \e\]0;;bad-command;\a\e\[21t'

---

I wonder whether the following are handled and/or dangerous:
set X property  perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\'
set, get font   perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\'
UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\'
  then trick user to press F key, or
perl -e 'print \eP+q584b5f434f4c524f53\e\\'


Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xterm depends on:
ii  libc6  2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii  libfontconfig1 2.4.2-1.2 generic font configuration library
ii  libice61:1.0.1-2 X11 Inter-Client Exchange library
ii  libncurses55.5-5 Shared libraries for terminal hand
ii  libsm6 1:1.0.1-3 X11 Session Management library
ii  libx11-6   2:1.0.3-7 X11 client-side library
ii  libxaw71:1.0.2-4 X11 Athena Widget library
ii  libxext6   1:1.0.1-2 X11 miscellaneous extension librar
ii  libxft22.1.8.2-8 FreeType-based font drawing librar
ii  libxmu61:1.0.2-2 X11 miscellaneous utility library
ii  libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii  xbitmaps   1.0.1-2   Base X bitmaps

Versions of packages xterm recommends:
ii  xutils  1:7.1.ds.3-1 X Window System utility programs

-- no debconf information
--- misc.c.bak  2006-10-18 07:23:20.0 +1000
+++ misc.c  2008-12-29 07:06:25.0 +1100
@@ -2259,11 +2259,12 @@
unparseputc1(xw, DCS);
unparseputc(xw, okay ? '1' : '0');
unparseputc(xw, '$');
unparseputc(xw, 'r');
-   if (okay)
+   if (okay) {
cp = reply;
-   unparseputs(xw, cp);
+   unparseputs(xw, cp);
+   }
unparseputc1(xw, ST);
} else {
unparseputc(xw, CAN);
}
---End Message---
---BeginMessage---
Source: xterm
Source-Version: 222-1etch3

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive:

xterm_222-1etch3.diff.gz
  to pool/main/x/xterm/xterm_222-1etch3.diff.gz
xterm_222-1etch3.dsc
  to pool/main/x/xterm/xterm_222-1etch3.dsc
xterm_222-1etch3_amd64.deb
  to pool/main/x/xterm/xterm_222-1etch3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 510...@bugs.debian.org,
and the maintainer will