Re: security vulnerabilities in fvwm[_-]menu... scripts?
On Fri, Mar 19, 2004 at 05:13:36PM +, Mikhael Goikhman wrote: On 19 Mar 2004 16:29:09 +0100, Dominik Vogt wrote: on 1-Jan-2004 You fixed a vulnerability in fvwm-menu-directory.in that allowed an attacker to execute commands with the rights of the fvwm user. I have backported it to 2.4.18, but I'm unsure if the other fvwm-menu* scripts are vulnerable too. Only fvwm-menu-directory builds a menu from an arbitrary directory listing. Others use different methods to obtains the content. Well, if someone patches xlock -help output, or breaks into FreshMeat server, or affects gnome's installation, then theoretically other scripts may be problematic too. However it is easier just to patch fvwm and insert some troyan. Additionally, these other scripts process one input line at any time, and this line is escaped, so this multi-line problem can't appear. The fvwm_make_{browse,directory]_menu.sh scripts are definitely vulnerable too. As I don't know how to fix them, should they be removed? These scripts are not installed, so they are less a problem. Also they use ls | sed to obtain the listing and not readdir(2). It is possible that there is some kind of shell escaping vulnerability, but not this multi-line vulnerability. Yes. There was a problem with double quotes in file names. I solved it by removing the quotes with sed. I think they simply produce incorrect menu entries if a file name contains end of line char, that's ok. P.S. Unfortunately my mouse is killed right now, so I am not very workable to test what I said. My fvwm is very usable, but applications are usually not designed to work well without mouse. The most missing feature is copy-and-paste in terminal, needed for any sane work. I managed to lock X when I tried to emulate mouse clicks using Shift-NumLock keypad presses... Hopefully I will fix my mouse soon. :) Q 3.5 in the FAQ describes how to set up the keyboard to simulate the mouse in XFree. Ciao Dominik ^_^ ^_^ -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
Re: cvs down
On Sat, Mar 27, 2004 at 04:49:51PM -0600, Jason L Tibbitts III wrote: DE == Dan Espen [EMAIL PROTECTED] writes: DE Just checked my home and work Linux machines, same problem. Do the Linux machines share a common CVS version? The server is running 1.11.1p1 plus security patches. This hasn't changed since the last CVS security hole. My home machine is running 1.11.2, but I also checked 1.11.5 and it works fine as well. A long time ago we had a problem with the version of CVS on the server causing client hangs but that was resolved, and in any case the versions on the server haven't changed so this has got to be either a networking or client issue. I'm running cvs-1.11.1p1 like the server. Of course that's not surprising because you downgraded the server to the old version because I had hangs. Also check /proc/sys/net/ipv4/tcp_ecn; make sure it's off. It's off. Ciao Dominik ^_^ ^_^ -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
window-specific key-bindings patch
Hi Dominik, This post: http://www.hpc.uh.edu/fvwm/archive/0403/msg00054.html contains my modified patch for window-specific key/mouse bindings. I hadn't planned to make any further modifications, but if there's something you'd like me to change just say so ... The initial patch (with an example of usage) is here: http://www.hpc.uh.edu/fvwm/archive/0403/msg0.html SCoTT. :) -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
Re: cvs down
On Sat, Mar 27, 2004 at 03:40:15PM -0600, Jason L Tibbitts III wrote: DE == Dan Espen [EMAIL PROTECTED] writes: DE I see the cvspserver port 2401 is open. I tried to telnet to that DE port, but so far it's hanging just like it does when I try CVS. Still can't find anything wrong; just did another full checkout from yet another location and it went fine. There are no hung CVS processes on the server and no error messages in any logs. Other users seem to be connecting fine. Nothing has changed on the server recently that would cause problems. If anyone else is having problems, please speak up. I have the same problem as Dan. CVS just hangs. --- $ traceroute 129.7.128.22 traceroute to 129.7.128.22 (129.7.128.22), 30 hops max, 38 byte packets 1 gw-ma-a.dev-system.ma.schlund.de (172.17.39.253) 0.510 ms 0.436 ms 0.425 ms 2 gw-nat-a.dist.bs.ka.schlund.net (212.227.125.234) 0.400 ms 0.301 ms 0.362 ms 3 v999.gw-dist-a.bs.ka.schlund.net (212.227.125.253) 0.521 ms 0.580 ms 0.462 ms 4 ge-42.gw-backbone-b.bs.ka.schlund.net (212.227.121.232) 0.551 ms 0.509 ms 0.563 ms 5 pos-80.gw-backbone-b.ffm.schlund.net (212.227.112.127) 3.024 ms 3.100 ms 3.069 ms 6 212.162.44.157 (212.162.44.157) 3.349 ms 3.349 ms 3.306 ms 7 ae-0-51.mp1.Frankfurt1.Level3.net (195.122.136.1) 3.994 ms 3.791 ms 3.910 ms 8 so-2-0-0.mp2.Amsterdam1.Level3.net (212.187.128.94) 10.153 ms 10.157 ms 10.251 ms 9 ge-6-2.core2.Amsterdam1.Level3.net (213.244.165.118) 10.413 ms 10.308 ms 10.288 ms 10 Verio-Level3.Level3.net (213.244.165.242) 23.462 ms 23.372 ms 23.273 ms 11 p16-2-0-0.r01.amstnl02.nl.bb.verio.net (129.250.2.135) 80.279 ms 23.594 ms 23.581 ms 12 p16-1-0-0.r80.asbnva01.us.bb.verio.net (129.250.5.87) 99.250 ms 99.144 ms 99.260 ms 13 p16-0-1-1.r20.asbnva01.us.bb.verio.net (129.250.2.38) 99.196 ms 98.944 ms 99.137 ms 14 p16-0-0-0.r00.atlnga03.us.bb.verio.net (129.250.2.49) 115.749 ms p16-0-1-1.r21.dllstx09.us.bb.verio.net (129.250.5.34) 128.464 ms 128.418 ms 15 p16-2-0-0.r01.atlnga03.us.bb.verio.net (129.250.5.17) 132.889 ms p16-6-0-0.r02.hstntx01.us.bb.verio.net (129.250.5.101) 134.676 ms p16-2-0-0.r01.atlnga03.us.bb.verio.net (129.250.5.17) 132.722 ms 16 p16-1-0-2.r20.dllstx09.us.bb.verio.net (129.250.4.194) 132.634 ms ge-0-2-0.a03.hstntx01.us.ra.verio.net (129.250.29.89) 134.661 ms p16-1-0-2.r20.dllstx09.us.bb.verio.net (129.250.4.194) 132.478 ms 17 a1-1-2-0-2.a03.hstntx01.us.ce.verio.net (128.241.11.50) 136.002 ms 135.776 ms p16-5-0-0.r02.hstntx01.us.bb.verio.net (129.250.5.41) 137.789 ms 18 vespasian-vlan10.gw.uh.edu (129.7.254.254) 136.418 ms ge-0-2-0.a03.hstntx01.us.ra.verio.net (129.250.29.89) 137.987 ms vespasian-vlan10.gw.uh.edu (129.7.254.254) 136.564 ms 19 a1-1-2-0-2.a03.hstntx01.us.ce.verio.net (128.241.11.50) 139.130 ms * 139.558 ms 20 vespasian-vlan10.gw.uh.edu (129.7.254.254) 139.623 ms util1.math.uh.edu (129.7.128.22) 136.176 ms vespasian-vlan10.gw.uh.edu (129.7.254.254) 139.781 ms --- Ciao Dominik ^_^ ^_^ -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
Re: cvs down
On Mon, Mar 29, 2004 at 10:58:24AM +0200, fvwm-workers wrote: On Sat, Mar 27, 2004 at 04:49:51PM -0600, Jason L Tibbitts III wrote: DE == Dan Espen [EMAIL PROTECTED] writes: DE Just checked my home and work Linux machines, same problem. Do the Linux machines share a common CVS version? The server is running 1.11.1p1 plus security patches. This hasn't changed since the last CVS security hole. My home machine is running 1.11.2, but I also checked 1.11.5 and it works fine as well. A long time ago we had a problem with the version of CVS on the server causing client hangs but that was resolved, and in any case the versions on the server haven't changed so this has got to be either a networking or client issue. I'm running cvs-1.11.1p1 like the server. Of course that's not surprising because you downgraded the server to the old version because I had hangs. Also check /proc/sys/net/ipv4/tcp_ecn; make sure it's off. It's off. I have the same problem from my home machine (1.11.1p1 too). Ciao Dominik ^_^ ^_^ -- Dominik Vogt, [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
typo in manpage
I just found a typo in the manpage. if the window being placed has the EWMHPlacemen tUseWoringArea style and windows with an EWMH strut ^^^ Best regards Jochen -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]
Re: small Makefile.am bug(?) in FvwmGtk
On Wed, Mar 17, 2004 at 11:48:24AM +0100, Stephan Beyer wrote: If it's a feature, and not a bug, please tell me why the FvwmGtk manual page isn't installed on my system... ;) It's only installed if FvwmGtk is installed too. FvwmGtk is installed too, of course... Ah, forget my earlier mail. I see the problem too. It seems to be an automake bug: Although the man_MANS variable is not empty in the Makefile, automake does not generate an install rule for man pages. I'll commit a fix as soon as I can access CVS again. Ciao Dominik ^_^ ^_^ -- Dominik Vogt, [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] -- Visit the official FVWM web page at URL:http://www.fvwm.org/. To unsubscribe from the list, send unsubscribe fvwm-workers in the body of a message to [EMAIL PROTECTED] To report problems, send mail to [EMAIL PROTECTED]