X Strike Force SVN commit: rev 468 - in branches/4.1.0/woody/debian: . patches

[X Strike Force SVN Admin]

Author: branden
Date: 2003-09-02 14:41:52 -0500 (Tue, 02 Sep 2003)
New Revision: 468

Added:
   branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
   branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
Modified:
   branches/4.1.0/woody/debian/changelog
Log:
debian/patches/069_SECURITY_xterm_window_title_reporting.diff: disable xterm's
  window title reporting escape sequence
debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff: fix term to ignore
  malformed DEC UDK escape sequences instead of locking up


Modified: branches/4.1.0/woody/debian/changelog
===================================================================
--- branches/4.1.0/woody/debian/changelog       2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/changelog       2003-09-02 19:41:52 UTC (rev 468)
@@ -1,3 +1,16 @@
+xfree86 (4.1.0-16woody1) stable; urgency=high
+
+  * Security update release.  Resolves the following issues:
+    + CAN-2003-0063 (xterm window title reporting can deceive user)
+    + CAN-2003-0071 (xterm susceptible to DEC UDK sequence DoS attack)
+
+  * patch #069: new; disable xterm's window title reporting escape sequence
+
+  * patch #070: new; fix term to ignore malformed DEC UDK escape sequences
+    instead of locking up
+
+ -- Branden Robinson <[EMAIL PROTECTED]>  Tue,  2 Sep 2003 14:34:48 -0500
+
 xfree86 (4.1.0-16) unstable; urgency=high
 
   * patch #000_stolen_from_HEAD:

Added: 
branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff 
 2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/patches/069_SECURITY_xterm_window_title_reporting.diff 
 2003-09-02 19:41:52 UTC (rev 468)
@@ -0,0 +1,39 @@
+> - Xterm, provided as part of the XFree86 packages, provides an escape
+> sequence for reporting the current window title. This escape sequence
+> essentially takes the current title and places it directly on the command
+> line. An attacker can craft an escape sequence that sets the victim's Xterm
+> window title to an arbitrary command, and then reports it to the command
+> line. Since it is not possible to embed a carriage return into the window
+> title, the attacker would then have to convince the victim to press Enter
+> for the shell to process the title as a command, although the attacker
+> could craft other escape sequences that might convince the victim to do so.
+> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
+> assigned the name CAN-2003-0063 to this issue.
+
+Thomas Dickey fixed this in XTerm #174, which was committed to XFree86
+CVS HEAD in 2003-02-25.  XTerm #174 makes window title reporting a
+user-configurable option via the X resource allowWindowOps, which
+defaults off.  This option is documented in the manual page as of that
+version.
+
+Red Hat's fix is to ignore the escape sequence that prints the window
+title.
+
+This is Red Hat's fix.
+
+--- xc/programs/xterm/charproc.c       2002-01-07 16:02:44.000000000 -0500
++++ xc/programs/xterm/charproc.c       2003-04-03 11:43:14.000000000 -0500
+@@ -3751,11 +3751,13 @@
+               break;
+ 
+       case 21:        /* Report the window's title */
++#if 0
+               report_win_label(screen, 'l', &text,
+                       XGetWMName(
+                               screen->display,
+                               VShellWindow,
+                               &text));
++#endif
+               break;
+ 
+       default: /* DECSLPP (24, 25, 36, 48, 72, 144) */

Added: branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff
===================================================================
--- branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff   
 2003-09-02 19:33:26 UTC (rev 467)
+++ branches/4.1.0/woody/debian/patches/070_SECURITY_xterm_dec_udk_sequence_DoS.diff   
 2003-09-02 19:41:52 UTC (rev 468)
@@ -0,0 +1,27 @@
+> - It is possible to lock up versions of Xterm by sending an invalid DEC
+> UDK escape sequence. (CAN-2003-0071)
+
+Thomas Dickey fixed this in XTerm #173, which was committed to XFree86
+CVS HEAD on 2003-02-06.
+
+This patch is derived from XTerm #173.
+
+--- xc/programs/xterm/misc.c   2001-10-23 21:21:24.000000000 -0400
++++ xc/programs/xterm/misc.c   2003-04-03 11:00:48.000000000 -0500
+@@ -1649,6 +1649,7 @@
+                               reset_decudk();
+ 
+                       while (*cp) {
++                              char *base = cp;
+                               char *str = (char *)malloc(strlen(cp) + 2);
+                               unsigned key = 0;
+                               int len = 0;
+@@ -1675,6 +1676,8 @@
+                               }
+                               if (*cp == ';')
+                                       cp++;
++                              if (cp == base) /* badly-formed sequence - bail out */
++                                      break;
+                       }
+               }
+               break;


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]