Bug#510030: xterm: DECRQSS and comments
On Mon, Dec 29, 2008 at 13:39:19 +0100, Florian Weimer wrote: * Paul Szabo: Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' Thanks for reporting this. The sid version is also affected because allowWindowOps is not set to false in the configuration. I plan to fix this for etch by disabling UDKs, font shifting, X property changes, and applying Paul's patch. Any objections? Hi, I'm considering the below diff for lenny, please review and tell me whether this is ok for testing-security. Cheers, Julien diff --git a/debian/changelog b/debian/changelog index 2205844..58c0684 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +xterm (235-2) UNRELEASED; urgency=high + + * Backport changes from xterm 238: +- make OSC 3 (change X property) subject to allowWindowOps resource +- make VT220 DSR responses inactive in VT100-mode +- make DECUDK feature inactive in VT100-mode +- respond to incorrectly formatted DECRQSS with a cancel (CVE-2008-2383; + closes: #510030) +- add allowFontOps resource to allow the fontsize-switching and font + query/set control sequences to be enabled/disabled + * Additionally, change the default values for allowFontOps and +allowWindowOps to false. + + -- Julien Cristau jcris...@debian.org Sat, 03 Jan 2009 18:47:43 +0100 + xterm (235-1) unstable; urgency=low * New upstream release. diff --git a/debian/patches/000_backport_from_238.diff b/debian/patches/000_backport_from_238.diff new file mode 100644 index 000..c3e0eda --- /dev/null +++ b/debian/patches/000_backport_from_238.diff @@ -0,0 +1,227 @@ +From xterm #238: +* make OSC 3 (change X property) subject to allowWindowOps resource +* make VT220 DSR responses inactive in VT100-mode +* make DECUDK feature inactive in VT100-mode +* respond to incorrectly formatted DECRQSS with a cancel +* add allowFontOps resource to allow the fontsize-switching and font query/set + control sequences to be enabled/disabled + +Index: xterm/charproc.c +=== +--- xterm.orig/charproc.c xterm/charproc.c +@@ -389,6 +389,7 @@ + static XtResource resources[] = + { + Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0, False), ++Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOp0, True), + Bres(XtNallowTitleOps, XtCAllowTitleOps, screen.allowTitleOp0, True), + Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True), + Bres(XtNaltIsNotMeta, XtCAltIsNotMeta, screen.alt_is_not_meta, False), +@@ -2144,28 +2145,38 @@ + break; + case 15: + /* printer status */ +- reply.a_param[count++] = 13;/* implement printer */ ++ if (screen-terminal_id = 200) { /* VT220 */ ++ reply.a_param[count++] = 13;/* implement printer */ ++ } + break; + case 25: + /* UDK status */ +- reply.a_param[count++] = 20;/* UDK always unlocked */ ++ if (screen-terminal_id = 200) { /* VT220 */ ++ reply.a_param[count++] = 20;/* UDK always unlocked */ ++ } + break; + case 26: + /* keyboard status */ +- reply.a_param[count++] = 27; +- reply.a_param[count++] = 1; /* North American */ +- if (screen-terminal_id = 400) { +- reply.a_param[count++] = 0; /* ready */ +- reply.a_param[count++] = 0; /* LK201 */ ++ if (screen-terminal_id = 200) { /* VT220 */ ++ reply.a_param[count++] = 27; ++ reply.a_param[count++] = 1; /* North American */ ++ if (screen-terminal_id = 400) { ++ reply.a_param[count++] = 0; /* ready */ ++ reply.a_param[count++] = 0; /* LK201 */ ++ } + } + break; + case 53: + /* Locator status */ ++ if (screen-terminal_id = 200) { /* VT220 */ + #if OPT_DEC_LOCATOR +- reply.a_param[count++] = 50;/* locator ready */ ++ reply.a_param[count++] = 50;/* locator ready */ + #else +- reply.a_param[count++] = 53;/* no locator */ ++ reply.a_param[count++] = 53;/* no locator */ + #endif ++ } ++ break; ++ default: + break; + } + +@@ -5525,11 +5536,13 @@ + init_Bres(screen.meta_sends_esc); + + init_Bres(screen.allowSendEvent0); ++init_Bres(screen.allowFontOp0); + init_Bres(screen.allowTitleOp0); + init_Bres(screen.allowWindowOp0); + + /* make a copy so that editres cannot change the resource after startup */ +
Bug#510030: xterm: DECRQSS and comments
* Julien Cristau: I'm considering the below diff for lenny, please review and tell me whether this is ok for testing-security. If I read the patch correctly, you change the compiled-in defaults. This is fine, but is somewhat different from allowWindowOps approach in etch (which shipped a configuration file). etch - lenny updates should work as well and result in a conservative configuration choice. For reference, I've attached the patch I plan to apply to the etch4 version, to reintroduce font shifting support for those who need it. If you think we need to backport more changes in #238, I'm open to that, too. Index: git/ptyx.h === --- git.orig/ptyx.h 2009-01-02 21:35:07.0 +0100 +++ git/ptyx.h 2009-01-02 21:35:23.0 +0100 @@ -1345,8 +1345,10 @@ Boolean bellOnReset;/* bellOnReset */ Boolean visualbell; /* visual bell mode */ Boolean poponbell; /* pop on bell mode */ + Boolean allowFontOps; /* FontOps mode */ Boolean allowSendEvents;/* SendEvent mode */ Boolean allowWindowOps; /* WindowOps mode */ + Boolean allowFontOps0; /* initial FontOps mode */ Boolean allowSendEvent0;/* initial SendEvent mode */ Boolean allowWindowOp0; /* initial WindowOps mode */ Boolean awaitInput; /* select-timeout mode */ Index: git/charproc.c === --- git.orig/charproc.c 2009-01-02 21:35:07.0 +0100 +++ git/charproc.c 2009-01-02 21:35:23.0 +0100 @@ -394,6 +394,7 @@ static XtResource resources[] = { +Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOps0, False), Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0, False), Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True), Bres(XtNalwaysHighlight, XtCAlwaysHighlight, screen.always_highlight, False), @@ -5524,10 +5525,12 @@ init_Bres(screen.meta_sends_esc); init_Bres(screen.allowSendEvent0); +init_Bres(screen.allowFontOps0); init_Bres(screen.allowWindowOp0); /* make a copy so that editres cannot change the resource after startup */ wnew-screen.allowSendEvents = wnew-screen.allowSendEvent0; +wnew-screen.allowFontOps = wnew-screen.allowFontOps0; wnew-screen.allowWindowOps = wnew-screen.allowWindowOp0; #ifndef NO_ACTIVE_ICON Index: git/xterm.h === --- git.orig/xterm.h2009-01-02 21:35:07.0 +0100 +++ git/xterm.h 2009-01-02 21:35:23.0 +0100 @@ -325,6 +325,7 @@ /******/ #define XtNallowC1PrintableallowC1Printable +#define XtNallowFontOpsallowFontOps #define XtNallowSendEvents allowSendEvents #define XtNallowWindowOps allowWindowOps #define XtNalwaysHighlight alwaysHighlight @@ -463,6 +464,7 @@ #define XtNxmcMoveSGR xmcMoveSGR #define XtCAllowC1PrintableAllowC1Printable +#define XtCAllowFontOpsAllowFontOps #define XtCAllowSendEvents AllowSendEvents #define XtCAllowWindowOps AllowWindowOps #define XtCAlwaysHighlight AlwaysHighlight Index: git/xterm.man === --- git.orig/xterm.man 2009-01-02 21:35:23.0 +0100 +++ git/xterm.man 2009-01-02 21:35:23.0 +0100 @@ -1349,6 +1349,10 @@ Although this corresponds to no particular standard, some users insist it is a VT100. The default is ``false.'' +.TP +.B allowFontOps (\fPclass\fB AllowFontOps) +Specifies whether control sequences that set/query the font should be allowed. +The default is ``false.'' .TP 8 .B allowSendEvents (\fPclass\fB AllowSendEvents) Specifies whether or not synthetic key and button events (generated using Index: git/misc.c === --- git.orig/misc.c 2009-01-02 21:37:05.0 +0100 +++ git/misc.c 2009-01-02 21:37:15.0 +0100 @@ -1847,7 +1847,9 @@ case 50: #if OPT_SHIFT_FONTS - if (buf != 0 !strcmp(buf, ?)) { + if (!screen-allowFontOps xw-misc.shift_fonts) { + ; /* disabled via resource or control-sequence */ + } else if (buf != 0 !strcmp(buf, ?)) { int num = screen-menu_font_number; unparseputc1(xw, OSC); -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510030: xterm: DECRQSS and comments
* Paul Szabo: Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' Thanks for reporting this. The sid version is also affected because allowWindowOps is not set to false in the configuration. I plan to fix this for etch by disabling UDKs, font shifting, X property changes, and applying Paul's patch. Any objections? -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#510030: xterm: DECRQSS and comments
Package: xterm Version: 222-1etch2 Severity: grave Tags: security patch Justification: user security hole DECRQSS Device Control Request Status String DCS $ q simply echoes (responds with) invalid commands. For example, perl -e 'print \eP\$q\nbad-command\n\e\\' would run bad-command. Exploitability is the same as for the window title reporting issue in DSA-380: include the DCS string in an email message to the victim, or arrange to have it in syslog to be viewed by root. The attached patch should fix the problem. --- The default allowWindowOps is false (as should be), but the man page says the default is true. The man page should also mention that turning it on is a security risk, to avoid regression e.g. as per http://bugs.debian.org/384593 http://www.debian.org/security/2003/dsa-380 and also the much older http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm (and private message to xterm maintainers on 9 Mar 2000, seems only grep PSz main.c remains). --- Ubuntu still allows window title reporting, and is vulnerable to perl -e 'print \e\]0;;bad-command;\a\e\[21t' --- I wonder whether the following are handled and/or dangerous: set X property perl -e 'print \e\]3;XTerm.vt100.allowWindowOps=1\e\\' set, get font perl -e 'print \e\]50;bad-command\e\\,\e\]50;?\e\\' UDK setting perl -e 'print \eP1;1|17/0a6261642d636f6d6d616e640a\e\\' then trick user to press F key, or perl -e 'print \eP+q584b5f434f4c524f53\e\\' Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-pk03.02-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages xterm depends on: ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libice61:1.0.1-2 X11 Inter-Client Exchange library ii libncurses55.5-5 Shared libraries for terminal hand ii libsm6 1:1.0.1-3 X11 Session Management library ii libx11-6 2:1.0.3-7 X11 client-side library ii libxaw71:1.0.2-4 X11 Athena Widget library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft22.1.8.2-8 FreeType-based font drawing librar ii libxmu61:1.0.2-2 X11 miscellaneous utility library ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2 Base X bitmaps Versions of packages xterm recommends: ii xutils 1:7.1.ds.3-1 X Window System utility programs -- no debconf information --- misc.c.bak 2006-10-18 07:23:20.0 +1000 +++ misc.c 2008-12-29 07:06:25.0 +1100 @@ -2259,11 +2259,12 @@ unparseputc1(xw, DCS); unparseputc(xw, okay ? '1' : '0'); unparseputc(xw, '$'); unparseputc(xw, 'r'); - if (okay) + if (okay) { cp = reply; - unparseputs(xw, cp); + unparseputs(xw, cp); + } unparseputc1(xw, ST); } else { unparseputc(xw, CAN); }