Package: xterm
Severity: grave
This is a side effect of bug 384593 regarding allowWindowOps which is now
closed. I have listed the severity as grave because bug 384593 was listed as
grave, and this new bug is a direct continuation of that one.
In bug 384593, the resource allowWindowOps was changed from default value true
to false to prevent shell exploits. However the current xterm man page
indicates that the standard behavior is still true:
allowWindowOps (class AllowWindowOps)
Specifies whether extended window control sequences (as used in
dtterm) for should be allowed. The default is ``true.''
The man page needs to be changed to reflect the Debian-specific behavior. I
suggest changing the text from "The default is ``true.''" to "For security
reasons, the default in Debian is ``false.''"
As the developer of a console-based terminal emulator that I tend to run
inside Xterm, this behavior surprised me. Fortunately, the user can fix it
and I have added documentation to my project accordingly.
As it stands now, Debian has made a behavior change to Xterm that deviates
from the "expected" (e.g. what is true most other places) default behavior
and the man page explicitly contradicts the Debian behavior. This is also
not mentioned in /usr/share/doc/xterm/README.Debian, perhaps it should be if
this will be a departure from upstream for a significant time.
$ dpkg -p xterm
Package: xterm
Priority: optional
Section: x11
Installed-Size: 980
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Architecture: i386
Version: 222-1
...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
