Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)
Your message dated Mon, 05 Jan 2009 12:02:07 + with message-id e1ljo9n-7p...@ries.debian.org and subject line Bug#510030: fixed in xterm 235-2 has caused the Debian Bug report #510030, regarding [CVE-2008-2383] xterm: DECRQSS and comments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: xterm Version: 222-1etch2 Severity: grave Tags: security patch Justification: user security hole DECRQSS Device Control Request Status String DCS $ q simply echoes (responds with) invalid commands. For example, perl -e 'print \eP\$q\nbad-command\n\e\\' would run bad-command. Exploitability is the same as for the window title reporting issue in DSA-380: include the DCS string in an email message to the victim, or arrange to have it in syslog to be viewed by root. The attached patch should fix the problem. --- The default allowWindowOps is false (as should be), but the man page says the default is true. The man page should also mention that turning it on is a security risk, to avoid regression e.g. as per http://bugs.debian.org/384593 http://www.debian.org/security/2003/dsa-380 and also the much older http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm (and private message to xterm maintainers on 9 Mar 2000, seems only grep PSz main.c remains). --- Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' --- I wonder whether the following are handled and/or dangerous: set X property perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\' set, get font perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\' UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\' then trick user to press F key, or perl -e 'print \eP+q584b5f434f4c524f53\e\\' Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-pk03.02-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages xterm depends on: ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libice61:1.0.1-2 X11 Inter-Client Exchange library ii libncurses55.5-5 Shared libraries for terminal hand ii libsm6 1:1.0.1-3 X11 Session Management library ii libx11-6 2:1.0.3-7 X11 client-side library ii libxaw71:1.0.2-4 X11 Athena Widget library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft22.1.8.2-8 FreeType-based font drawing librar ii libxmu61:1.0.2-2 X11 miscellaneous utility library ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2 Base X bitmaps Versions of packages xterm recommends: ii xutils 1:7.1.ds.3-1 X Window System utility programs -- no debconf information --- misc.c.bak 2006-10-18 07:23:20.0 +1000 +++ misc.c 2008-12-29 07:06:25.0 +1100 @@ -2259,11 +2259,12 @@ unparseputc1(xw, DCS); unparseputc(xw, okay ? '1' : '0'); unparseputc(xw, '$'); unparseputc(xw, 'r'); - if (okay) + if (okay) { cp = reply; - unparseputs(xw, cp); + unparseputs(xw, cp); + } unparseputc1(xw, ST); } else { unparseputc(xw, CAN); } ---End Message--- ---BeginMessage--- Source: xterm Source-Version: 235-2 We believe that the bug you reported is fixed in the latest version of xterm, which is due to be installed in the Debian FTP archive: xterm_235-2.diff.gz to pool/main/x/xterm/xterm_235-2.diff.gz xterm_235-2.dsc to pool/main/x/xterm/xterm_235-2.dsc xterm_235-2_i386.deb to pool/main/x/xterm/xterm_235-2_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 510...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian
Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)
Your message dated Sat, 03 Jan 2009 17:02:10 + with message-id e1lj9t4-0005wn...@ries.debian.org and subject line Bug#510030: fixed in xterm 238-1 has caused the Debian Bug report #510030, regarding [CVE-2008-2383] xterm: DECRQSS and comments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: xterm Version: 222-1etch2 Severity: grave Tags: security patch Justification: user security hole DECRQSS Device Control Request Status String DCS $ q simply echoes (responds with) invalid commands. For example, perl -e 'print \eP\$q\nbad-command\n\e\\' would run bad-command. Exploitability is the same as for the window title reporting issue in DSA-380: include the DCS string in an email message to the victim, or arrange to have it in syslog to be viewed by root. The attached patch should fix the problem. --- The default allowWindowOps is false (as should be), but the man page says the default is true. The man page should also mention that turning it on is a security risk, to avoid regression e.g. as per http://bugs.debian.org/384593 http://www.debian.org/security/2003/dsa-380 and also the much older http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm (and private message to xterm maintainers on 9 Mar 2000, seems only grep PSz main.c remains). --- Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' --- I wonder whether the following are handled and/or dangerous: set X property perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\' set, get font perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\' UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\' then trick user to press F key, or perl -e 'print \eP+q584b5f434f4c524f53\e\\' Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-pk03.02-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages xterm depends on: ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libice61:1.0.1-2 X11 Inter-Client Exchange library ii libncurses55.5-5 Shared libraries for terminal hand ii libsm6 1:1.0.1-3 X11 Session Management library ii libx11-6 2:1.0.3-7 X11 client-side library ii libxaw71:1.0.2-4 X11 Athena Widget library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft22.1.8.2-8 FreeType-based font drawing librar ii libxmu61:1.0.2-2 X11 miscellaneous utility library ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2 Base X bitmaps Versions of packages xterm recommends: ii xutils 1:7.1.ds.3-1 X Window System utility programs -- no debconf information --- misc.c.bak 2006-10-18 07:23:20.0 +1000 +++ misc.c 2008-12-29 07:06:25.0 +1100 @@ -2259,11 +2259,12 @@ unparseputc1(xw, DCS); unparseputc(xw, okay ? '1' : '0'); unparseputc(xw, '$'); unparseputc(xw, 'r'); - if (okay) + if (okay) { cp = reply; - unparseputs(xw, cp); + unparseputs(xw, cp); + } unparseputc1(xw, ST); } else { unparseputc(xw, CAN); } ---End Message--- ---BeginMessage--- Source: xterm Source-Version: 238-1 We believe that the bug you reported is fixed in the latest version of xterm, which is due to be installed in the Debian FTP archive: xterm_238-1.diff.gz to pool/main/x/xterm/xterm_238-1.diff.gz xterm_238-1.dsc to pool/main/x/xterm/xterm_238-1.dsc xterm_238-1_i386.deb to pool/main/x/xterm/xterm_238-1_i386.deb xterm_238.orig.tar.gz to pool/main/x/xterm/xterm_238.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 510...@bugs.debian.org, and
Bug#510030: marked as done ([CVE-2008-2383] xterm: DECRQSS and comments)
Your message dated Sat, 03 Jan 2009 19:52:20 + with message-id e1ljcxk-xa...@ries.debian.org and subject line Bug#510030: fixed in xterm 222-1etch3 has caused the Debian Bug report #510030, regarding [CVE-2008-2383] xterm: DECRQSS and comments to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 510030: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: xterm Version: 222-1etch2 Severity: grave Tags: security patch Justification: user security hole DECRQSS Device Control Request Status String DCS $ q simply echoes (responds with) invalid commands. For example, perl -e 'print \eP\$q\nbad-command\n\e\\' would run bad-command. Exploitability is the same as for the window title reporting issue in DSA-380: include the DCS string in an email message to the victim, or arrange to have it in syslog to be viewed by root. The attached patch should fix the problem. --- The default allowWindowOps is false (as should be), but the man page says the default is true. The man page should also mention that turning it on is a security risk, to avoid regression e.g. as per http://bugs.debian.org/384593 http://www.debian.org/security/2003/dsa-380 and also the much older http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm (and private message to xterm maintainers on 9 Mar 2000, seems only grep PSz main.c remains). --- Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' --- I wonder whether the following are handled and/or dangerous: set X property perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\' set, get font perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\' UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\' then trick user to press F key, or perl -e 'print \eP+q584b5f434f4c524f53\e\\' Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-pk03.02-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages xterm depends on: ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libice61:1.0.1-2 X11 Inter-Client Exchange library ii libncurses55.5-5 Shared libraries for terminal hand ii libsm6 1:1.0.1-3 X11 Session Management library ii libx11-6 2:1.0.3-7 X11 client-side library ii libxaw71:1.0.2-4 X11 Athena Widget library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft22.1.8.2-8 FreeType-based font drawing librar ii libxmu61:1.0.2-2 X11 miscellaneous utility library ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2 Base X bitmaps Versions of packages xterm recommends: ii xutils 1:7.1.ds.3-1 X Window System utility programs -- no debconf information --- misc.c.bak 2006-10-18 07:23:20.0 +1000 +++ misc.c 2008-12-29 07:06:25.0 +1100 @@ -2259,11 +2259,12 @@ unparseputc1(xw, DCS); unparseputc(xw, okay ? '1' : '0'); unparseputc(xw, '$'); unparseputc(xw, 'r'); - if (okay) + if (okay) { cp = reply; - unparseputs(xw, cp); + unparseputs(xw, cp); + } unparseputc1(xw, ST); } else { unparseputc(xw, CAN); } ---End Message--- ---BeginMessage--- Source: xterm Source-Version: 222-1etch3 We believe that the bug you reported is fixed in the latest version of xterm, which is due to be installed in the Debian FTP archive: xterm_222-1etch3.diff.gz to pool/main/x/xterm/xterm_222-1etch3.diff.gz xterm_222-1etch3.dsc to pool/main/x/xterm/xterm_222-1etch3.dsc xterm_222-1etch3_amd64.deb to pool/main/x/xterm/xterm_222-1etch3_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 510...@bugs.debian.org, and the maintainer will