Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole
DECRQSS Device Control Request Status String "DCS $ q" simply echoes
(responds with) invalid commands. For example,
perl -e 'print "\eP\$q\nbad-command\n\e\\"'
would run bad-command.
Exploitability is the same as for the "window title reporting" issue
in DSA-380: include the DCS string in an email message to the victim,
or arrange to have it in syslog to be viewed by root.
The attached patch should fix the problem.
---
The default allowWindowOps is false (as should be), but the man page
says the default is true. The man page should also mention that turning
it on is a security risk, to avoid regression e.g. as per
http://bugs.debian.org/384593
http://www.debian.org/security/2003/dsa-380
and also the much older
http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm
(and private message to xterm maintainers on 9 Mar 2000, seems only
"grep PSz main.c" remains).
---
Ubuntu still allows window title reporting, and is vulnerable to
perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
---
I wonder whether the following are handled and/or dangerous:
set X property perl -e 'print "\e\]3;XTerm.vt100.allowWindowOps=1\e\\"'
set, get font perl -e 'print "\e\]50;bad-command\e\\","\e\]50;?\e\\"'
UDK setting perl -e 'print "\eP1;1|17/0a6261642d636f6d6d616e640a\e\\"'
then trick user to press F key, or
perl -e 'print "\eP+q584b5f434f4c524f53\e\\"'
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-pk03.02-svr
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages xterm depends on:
ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxaw7 1:1.0.2-4 X11 Athena Widget library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxft2 2.1.8.2-8 FreeType-based font drawing librar
ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii xbitmaps 1.0.1-2 Base X bitmaps
Versions of packages xterm recommends:
ii xutils 1:7.1.ds.3-1 X Window System utility programs
-- no debconf information
--- misc.c.bak 2006-10-18 07:23:20.000000000 +1000
+++ misc.c 2008-12-29 07:06:25.000000000 +1100
@@ -2259,11 +2259,12 @@
unparseputc1(xw, DCS);
unparseputc(xw, okay ? '1' : '0');
unparseputc(xw, '$');
unparseputc(xw, 'r');
- if (okay)
+ if (okay) {
cp = reply;
- unparseputs(xw, cp);
+ unparseputs(xw, cp);
+ }
unparseputc1(xw, ST);
} else {
unparseputc(xw, CAN);
}
