Bug#510030: xterm: DECRQSS and comments
On Mon, Dec 29, 2008 at 13:39:19 +0100, Florian Weimer wrote:
* Paul Szabo:
Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print \e\]0;;bad-command;\a\e\[21t'
Thanks for reporting this.
The sid version is also affected because allowWindowOps is not set to
false in the configuration.
I plan to fix this for etch by disabling UDKs, font shifting, X
property changes, and applying Paul's patch. Any objections?
Hi,
I'm considering the below diff for lenny, please review and tell me
whether this is ok for testing-security.
Cheers,
Julien
diff --git a/debian/changelog b/debian/changelog
index 2205844..58c0684 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+xterm (235-2) UNRELEASED; urgency=high
+
+ * Backport changes from xterm 238:
+- make OSC 3 (change X property) subject to allowWindowOps resource
+- make VT220 DSR responses inactive in VT100-mode
+- make DECUDK feature inactive in VT100-mode
+- respond to incorrectly formatted DECRQSS with a cancel (CVE-2008-2383;
+ closes: #510030)
+- add allowFontOps resource to allow the fontsize-switching and font
+ query/set control sequences to be enabled/disabled
+ * Additionally, change the default values for allowFontOps and
+allowWindowOps to false.
+
+ -- Julien Cristau jcris...@debian.org Sat, 03 Jan 2009 18:47:43 +0100
+
xterm (235-1) unstable; urgency=low
* New upstream release.
diff --git a/debian/patches/000_backport_from_238.diff
b/debian/patches/000_backport_from_238.diff
new file mode 100644
index 000..c3e0eda
--- /dev/null
+++ b/debian/patches/000_backport_from_238.diff
@@ -0,0 +1,227 @@
+From xterm #238:
+* make OSC 3 (change X property) subject to allowWindowOps resource
+* make VT220 DSR responses inactive in VT100-mode
+* make DECUDK feature inactive in VT100-mode
+* respond to incorrectly formatted DECRQSS with a cancel
+* add allowFontOps resource to allow the fontsize-switching and font query/set
+ control sequences to be enabled/disabled
+
+Index: xterm/charproc.c
+===
+--- xterm.orig/charproc.c
xterm/charproc.c
+@@ -389,6 +389,7 @@
+ static XtResource resources[] =
+ {
+ Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0,
False),
++Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOp0, True),
+ Bres(XtNallowTitleOps, XtCAllowTitleOps, screen.allowTitleOp0, True),
+ Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True),
+ Bres(XtNaltIsNotMeta, XtCAltIsNotMeta, screen.alt_is_not_meta, False),
+@@ -2144,28 +2145,38 @@
+ break;
+ case 15:
+ /* printer status */
+- reply.a_param[count++] = 13;/* implement printer */
++ if (screen-terminal_id = 200) { /* VT220 */
++ reply.a_param[count++] = 13;/* implement printer */
++ }
+ break;
+ case 25:
+ /* UDK status */
+- reply.a_param[count++] = 20;/* UDK always unlocked */
++ if (screen-terminal_id = 200) { /* VT220 */
++ reply.a_param[count++] = 20;/* UDK always unlocked
*/
++ }
+ break;
+ case 26:
+ /* keyboard status */
+- reply.a_param[count++] = 27;
+- reply.a_param[count++] = 1; /* North American */
+- if (screen-terminal_id = 400) {
+- reply.a_param[count++] = 0; /* ready */
+- reply.a_param[count++] = 0; /* LK201 */
++ if (screen-terminal_id = 200) { /* VT220 */
++ reply.a_param[count++] = 27;
++ reply.a_param[count++] = 1; /* North American */
++ if (screen-terminal_id = 400) {
++ reply.a_param[count++] = 0; /* ready */
++ reply.a_param[count++] = 0; /* LK201 */
++ }
+ }
+ break;
+ case 53:
+ /* Locator status */
++ if (screen-terminal_id = 200) { /* VT220 */
+ #if OPT_DEC_LOCATOR
+- reply.a_param[count++] = 50;/* locator ready */
++ reply.a_param[count++] = 50;/* locator ready */
+ #else
+- reply.a_param[count++] = 53;/* no locator */
++ reply.a_param[count++] = 53;/* no locator */
+ #endif
++ }
++ break;
++ default:
+ break;
+ }
+
+@@ -5525,11 +5536,13 @@
+ init_Bres(screen.meta_sends_esc);
+
+ init_Bres(screen.allowSendEvent0);
++init_Bres(screen.allowFontOp0);
+ init_Bres(screen.allowTitleOp0);
+ init_Bres(screen.allowWindowOp0);
+
+ /* make a copy so that editres cannot change the resource after startup */
+
Bug#510030: xterm: DECRQSS and comments
* Julien Cristau:
I'm considering the below diff for lenny, please review and tell me
whether this is ok for testing-security.
If I read the patch correctly, you change the compiled-in defaults.
This is fine, but is somewhat different from allowWindowOps approach
in etch (which shipped a configuration file). etch - lenny updates
should work as well and result in a conservative configuration choice.
For reference, I've attached the patch I plan to apply to the etch4
version, to reintroduce font shifting support for those who need it.
If you think we need to backport more changes in #238, I'm open to
that, too.
Index: git/ptyx.h
===
--- git.orig/ptyx.h 2009-01-02 21:35:07.0 +0100
+++ git/ptyx.h 2009-01-02 21:35:23.0 +0100
@@ -1345,8 +1345,10 @@
Boolean bellOnReset;/* bellOnReset */
Boolean visualbell; /* visual bell mode */
Boolean poponbell; /* pop on bell mode */
+ Boolean allowFontOps; /* FontOps mode */
Boolean allowSendEvents;/* SendEvent mode */
Boolean allowWindowOps; /* WindowOps mode */
+ Boolean allowFontOps0; /* initial FontOps mode */
Boolean allowSendEvent0;/* initial SendEvent mode */
Boolean allowWindowOp0; /* initial WindowOps mode */
Boolean awaitInput; /* select-timeout mode */
Index: git/charproc.c
===
--- git.orig/charproc.c 2009-01-02 21:35:07.0 +0100
+++ git/charproc.c 2009-01-02 21:35:23.0 +0100
@@ -394,6 +394,7 @@
static XtResource resources[] =
{
+Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOps0, False),
Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0,
False),
Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True),
Bres(XtNalwaysHighlight, XtCAlwaysHighlight, screen.always_highlight,
False),
@@ -5524,10 +5525,12 @@
init_Bres(screen.meta_sends_esc);
init_Bres(screen.allowSendEvent0);
+init_Bres(screen.allowFontOps0);
init_Bres(screen.allowWindowOp0);
/* make a copy so that editres cannot change the resource after startup */
wnew-screen.allowSendEvents = wnew-screen.allowSendEvent0;
+wnew-screen.allowFontOps = wnew-screen.allowFontOps0;
wnew-screen.allowWindowOps = wnew-screen.allowWindowOp0;
#ifndef NO_ACTIVE_ICON
Index: git/xterm.h
===
--- git.orig/xterm.h2009-01-02 21:35:07.0 +0100
+++ git/xterm.h 2009-01-02 21:35:23.0 +0100
@@ -325,6 +325,7 @@
/******/
#define XtNallowC1PrintableallowC1Printable
+#define XtNallowFontOpsallowFontOps
#define XtNallowSendEvents allowSendEvents
#define XtNallowWindowOps allowWindowOps
#define XtNalwaysHighlight alwaysHighlight
@@ -463,6 +464,7 @@
#define XtNxmcMoveSGR xmcMoveSGR
#define XtCAllowC1PrintableAllowC1Printable
+#define XtCAllowFontOpsAllowFontOps
#define XtCAllowSendEvents AllowSendEvents
#define XtCAllowWindowOps AllowWindowOps
#define XtCAlwaysHighlight AlwaysHighlight
Index: git/xterm.man
===
--- git.orig/xterm.man 2009-01-02 21:35:23.0 +0100
+++ git/xterm.man 2009-01-02 21:35:23.0 +0100
@@ -1349,6 +1349,10 @@
Although this corresponds to no particular standard,
some users insist it is a VT100.
The default is ``false.''
+.TP
+.B allowFontOps (\fPclass\fB AllowFontOps)
+Specifies whether control sequences that set/query the font should be allowed.
+The default is ``false.''
.TP 8
.B allowSendEvents (\fPclass\fB AllowSendEvents)
Specifies whether or not synthetic key and button events (generated using
Index: git/misc.c
===
--- git.orig/misc.c 2009-01-02 21:37:05.0 +0100
+++ git/misc.c 2009-01-02 21:37:15.0 +0100
@@ -1847,7 +1847,9 @@
case 50:
#if OPT_SHIFT_FONTS
- if (buf != 0 !strcmp(buf, ?)) {
+ if (!screen-allowFontOps xw-misc.shift_fonts) {
+ ; /* disabled via resource or control-sequence */
+ } else if (buf != 0 !strcmp(buf, ?)) {
int num = screen-menu_font_number;
unparseputc1(xw, OSC);
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510030: xterm: DECRQSS and comments
* Paul Szabo: Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' Thanks for reporting this. The sid version is also affected because allowWindowOps is not set to false in the configuration. I plan to fix this for etch by disabling UDKs, font shifting, X property changes, and applying Paul's patch. Any objections? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510030: xterm: DECRQSS and comments
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole
DECRQSS Device Control Request Status String DCS $ q simply echoes
(responds with) invalid commands. For example,
perl -e 'print \eP\$q\nbad-command\n\e\\'
would run bad-command.
Exploitability is the same as for the window title reporting issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.
The attached patch should fix the problem.
---
The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
grep PSz main.c remains).
---
Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print \e\]0;;bad-command;\a\e\[21t'
---
I wonder whether the following are handled and/or dangerous:
set X property perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\'
set, get font perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\'
UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\'
then trick user to press F key, or
perl -e 'print \eP+q584b5f434f4c524f53\e\\'
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages xterm depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libice61:1.0.1-2 X11 Inter-Client Exchange library
ii libncurses55.5-5 Shared libraries for terminal hand
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxaw71:1.0.2-4 X11 Athena Widget library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft22.1.8.2-8 FreeType-based font drawing librar
ii libxmu61:1.0.2-2 X11 miscellaneous utility library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii xbitmaps 1.0.1-2 Base X bitmaps
Versions of packages xterm recommends:
ii xutils 1:7.1.ds.3-1 X Window System utility programs
-- no debconf information
--- misc.c.bak 2006-10-18 07:23:20.0 +1000
+++ misc.c 2008-12-29 07:06:25.0 +1100
@@ -2259,11 +2259,12 @@
unparseputc1(xw, DCS);
unparseputc(xw, okay ? '1' : '0');
unparseputc(xw, '$');
unparseputc(xw, 'r');
- if (okay)
+ if (okay) {
cp = reply;
- unparseputs(xw, cp);
+ unparseputs(xw, cp);
+ }
unparseputc1(xw, ST);
} else {
unparseputc(xw, CAN);
}
