* Julien Cristau:
> I'm considering the below diff for lenny, please review and tell me
> whether this is ok for testing-security.
If I read the patch correctly, you change the compiled-in defaults.
This is fine, but is somewhat different from allowWindowOps approach
in etch (which shipped a conf
On Mon, Dec 29, 2008 at 13:39:19 +0100, Florian Weimer wrote:
> * Paul Szabo:
>
> > Ubuntu still allows window title reporting, and is vulnerable to
> > perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
>
> Thanks for reporting this.
>
> The sid version is also affected because allowWindowOps is n
* Paul Szabo:
> Ubuntu still allows window title reporting, and is vulnerable to
> perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
Thanks for reporting this.
The sid version is also affected because allowWindowOps is not set to
false in the configuration.
I plan to fix this for etch by disabling
Package: xterm
Version: 222-1etch2
Severity: grave
Tags: security patch
Justification: user security hole
DECRQSS Device Control Request Status String "DCS $ q" simply echoes
(responds with) invalid commands. For example,
perl -e 'print "\eP\$q\nbad-command\n\e\\"'
would run bad-command.
Exploit
4 matches
Mail list logo
