Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2008-2383: #510030 - [CVE-2008-2383] xterm: DECRQSS and comments

CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.

CVE
#vulnerability#mac#ubuntu#linux#debian#git#perl#amd

Debian Bug report logs - #510030
[CVE-2008-2383] xterm: DECRQSS and comments

Reported by: Paul Szabo [email protected]

Date: Sun, 28 Dec 2008 20:27:02 UTC

Severity: grave

Tags: patch, security

Found in versions xterm/222-1etch2, xterm/222-1

Fixed in versions 238-1, xterm/222-1etch3, xterm/235-2

Done: Julien Cristau [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], Debian Security Team [email protected], Debian X Strike Force [email protected]:
Bug#510030; Package xterm. (Sun, 28 Dec 2008 20:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Szabo [email protected]:
New Bug report received and forwarded. Copy sent to Debian Security Team [email protected], Debian X Strike Force [email protected]. (Sun, 28 Dec 2008 20:27:04 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: xterm Version: 222-1etch2 Severity: grave Tags: security patch Justification: user security hole

DECRQSS Device Control Request Status String “DCS $ q” simply echoes (responds with) invalid commands. For example, perl -e ‘print "\eP\$q\nbad-command\n\e\\"’ would run bad-command.

Exploitability is the same as for the “window title reporting” issue in DSA-380: include the DCS string in an email message to the victim, or arrange to have it in syslog to be viewed by root.

The attached patch should fix the problem.


The default allowWindowOps is false (as should be), but the man page says the default is true. The man page should also mention that turning it on is a security risk, to avoid regression e.g. as per http://bugs.debian.org/384593 http://www.debian.org/security/2003/dsa-380 and also the much older http://www.maths.usyd.edu.au/u/psz/securedu.html#xterm (and private message to xterm maintainers on 9 Mar 2000, seems only “grep PSz main.c” remains).


Ubuntu still allows window title reporting, and is vulnerable to perl -e ‘print "\e\]0;;bad-command;\a\e\[21t"’


I wonder whether the following are handled and/or dangerous: set X property perl -e ‘print "\e\]3;XTerm.vt100.allowWindowOps=1\e\\"’ set, get font perl -e ‘print "\e\]50;bad-command\e\\","\e\]50;?\e\\"’ UDK setting perl -e ‘print "\eP1;1|17/0a6261642d636f6d6d616e640a\e\\"’ then trick user to press F key, or perl -e ‘print "\eP+q584b5f434f4c524f53\e\\"’

Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia

– System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, ‘stable’) Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24-pk03.02-svr Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xterm depends on: ii libc6 2.3.6.ds1-13etch8 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library ii libncurses5 5.5-5 Shared libraries for terminal hand ii libsm6 1:1.0.1-3 X11 Session Management library ii libx11-6 2:1.0.3-7 X11 client-side library ii libxaw7 1:1.0.2-4 X11 Athena Widget library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxft2 2.1.8.2-8 FreeType-based font drawing librar ii libxmu6 1:1.0.2-2 X11 miscellaneous utility library ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library ii xbitmaps 1.0.1-2 Base X bitmaps

Versions of packages xterm recommends: ii xutils 1:7.1.ds.3-1 X Window System utility programs

– no debconf information

[misc.c.patch (text/plain, attachment)]

Changed Bug title to `[CVE-2008-2383] xterm: DECRQSS and comments’ from `xterm: DECRQSS and comments’. Request was from Florian Weimer [email protected] to [email protected]. (Mon, 29 Dec 2008 08:24:02 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian X Strike Force [email protected]:
Bug#510030; Package xterm. (Mon, 29 Dec 2008 12:42:02 GMT) (full text, mbox, link).

Acknowledgement sent to Florian Weimer [email protected]:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force [email protected]. (Mon, 29 Dec 2008 12:42:02 GMT) (full text, mbox, link).

Message #12 received at [email protected] (full text, mbox, reply):

* Paul Szabo:

Ubuntu still allows window title reporting, and is vulnerable to perl -e ‘print "\e\]0;;bad-command;\a\e\[21t"’

Thanks for reporting this.

The sid version is also affected because allowWindowOps is not set to false in the configuration.

I plan to fix this for etch by disabling UDKs, font shifting, X property changes, and applying Paul’s patch. Any objections?

Message sent on to Paul Szabo [email protected]:
Bug#510030. (Tue, 30 Dec 2008 13:54:12 GMT) (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

>I plan to fix this for etch by disabling UDKs, font shifting, X

property changes, and applying Paul’s patch. Any objections?

well, yes - Szabo’s patch "works", but is incorrect.

For the rest - Matthieu Herrb forwarded Weimer’s proposed patch, which also needs work.

(coincidentally, I’d intended working on xterm today or tomorrow - looks like I have extra to-do items)

bye.

– Thomas E. Dickey [email protected] http://invisible-island.net ftp://invisible-island.net

[signature.asc (application/pgp-signature, inline)]

Reply sent to Julien Cristau [email protected]:
You have taken responsibility. (Sat, 03 Jan 2009 17:09:07 GMT) (full text, mbox, link).

Notification sent to Paul Szabo [email protected]:
Bug acknowledged by developer. (Sat, 03 Jan 2009 17:09:07 GMT) (full text, mbox, link).

Message #20 received at [email protected] (full text, mbox, reply):

Source: xterm Source-Version: 238-1

We believe that the bug you reported is fixed in the latest version of xterm, which is due to be installed in the Debian FTP archive:

xterm_238-1.diff.gz to pool/main/x/xterm/xterm_238-1.diff.gz xterm_238-1.dsc to pool/main/x/xterm/xterm_238-1.dsc xterm_238-1_i386.deb to pool/main/x/xterm/xterm_238-1_i386.deb xterm_238.orig.tar.gz to pool/main/x/xterm/xterm_238.orig.tar.gz

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Julien Cristau [email protected] (supplier of updated xterm package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Format: 1.8 Date: Sat, 03 Jan 2009 17:35:46 +0100 Source: xterm Binary: xterm Architecture: source i386 Version: 238-1 Distribution: unstable Urgency: low Maintainer: Debian X Strike Force [email protected] Changed-By: Julien Cristau [email protected] Description: xterm - X terminal emulator Closes: 510030 Changes: xterm (238-1) unstable; urgency=low . * New upstream release. + respond to incorrectly formatted DECRQSS with a cancel (closes: #510030). Reference: CVE-2008-2383. * Default the allowWindowOps and allowFontOps resources to false, to prevent potential security issues. Thanks to Paul Szabo. Checksums-Sha1: 93a0b99ae36b2de61ed2f179d9959feba2a6caf5 1344 xterm_238-1.dsc fef9376398b6bca40fed9372af64f08c957c1654 862288 xterm_238.orig.tar.gz 6ef3a6bab3c93fedb8b79b2445c6b981c4dec71f 63166 xterm_238-1.diff.gz 072c8b4cd9642aa827046aa4ade4873f4e273b12 479828 xterm_238-1_i386.deb Checksums-Sha256: a3178d548916c64278ec3b952066b8e8fe3bc86c90b9e3e3f6b68ff34f5d98b5 1344 xterm_238-1.dsc 07957a677c8b8bb33d1aa2b14b3596386cbbf0bba658aeadf6476488bf297f8b 862288 xterm_238.orig.tar.gz 98911b4bb833b3a7e886f3f571a4450e0f968e779ae024a72acfb8673961ed66 63166 xterm_238-1.diff.gz 5a1dd1895b612452a87555319ba16d3e15ac555d491925a16fcd96ed9597e5e3 479828 xterm_238-1_i386.deb Files: 48ce7bd294d18ad0392e73b073daa41f 1344 x11 optional xterm_238-1.dsc 754f670723eb9a20f9f90d7c5f4a5bad 862288 x11 optional xterm_238.orig.tar.gz 3a9924c51f48188b2553cb8f758d0ee3 63166 x11 optional xterm_238-1.diff.gz 286da6762059b87589dd7e29e8d03b02 479828 x11 optional xterm_238-1_i386.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklflj4ACgkQmEvTgKxfcAwc/ACfR5TjnHICgc2b4fvVgTx+glz0 hcAAn0UBOkBKEU6hO6LGE5Pd56qcCTfP =Ztyg -----END PGP SIGNATURE-----

Information forwarded to [email protected], Debian X Strike Force [email protected]:
Bug#510030; Package xterm. (Sat, 03 Jan 2009 18:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau [email protected]:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force [email protected]. (Sat, 03 Jan 2009 18:09:02 GMT) (full text, mbox, link).

Message #25 received at [email protected] (full text, mbox, reply):

On Mon, Dec 29, 2008 at 13:39:19 +0100, Florian Weimer wrote:

* Paul Szabo:

Ubuntu still allows window title reporting, and is vulnerable to perl -e ‘print "\e\]0;;bad-command;\a\e\[21t"’

Thanks for reporting this.

The sid version is also affected because allowWindowOps is not set to false in the configuration.

I plan to fix this for etch by disabling UDKs, font shifting, X property changes, and applying Paul’s patch. Any objections?

Hi,

I’m considering the below diff for lenny, please review and tell me whether this is ok for testing-security.

Cheers, Julien

diff --git a/debian/changelog b/debian/changelog index 2205844…58c0684 100644 — a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +xterm (235-2) UNRELEASED; urgency=high

  • * Backport changes from xterm 238:
    • make OSC 3 (change X property) subject to allowWindowOps resource
    • make VT220 DSR responses inactive in VT100-mode
    • make DECUDK feature inactive in VT100-mode
    • respond to incorrectly formatted DECRQSS with a cancel (CVE-2008-2383;
  •  closes: #510030)
    
    • add allowFontOps resource to allow the fontsize-switching and font
  •  query/set control sequences to be enabled/disabled
    
  • * Additionally, change the default values for allowFontOps and
  • allowWindowOps to false.
  • – Julien Cristau [email protected] Sat, 03 Jan 2009 18:47:43 +0100

xterm (235-1) unstable; urgency=low

* New upstream release. diff --git a/debian/patches/000_backport_from_238.diff b/debian/patches/000_backport_from_238.diff new file mode 100644 index 0000000…c3e0eda — /dev/null +++ b/debian/patches/000_backport_from_238.diff @@ -0,0 +1,227 @@ +From xterm #238: +* make OSC 3 (change X property) subject to allowWindowOps resource +* make VT220 DSR responses inactive in VT100-mode +* make DECUDK feature inactive in VT100-mode +* respond to incorrectly formatted DECRQSS with a cancel +* add allowFontOps resource to allow the fontsize-switching and font query/set

  • control sequences to be enabled/disabled

+Index: xterm/charproc.c +=================================================================== ±-- xterm.orig/charproc.c ++++ xterm/charproc.c +@@ -389,6 +389,7 @@

  • static XtResource resources[] =
  • {
  • Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0, False),
    

++ Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOp0, True),

  • Bres(XtNallowTitleOps, XtCAllowTitleOps, screen.allowTitleOp0, True),
    
  • Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True),
    
  • Bres(XtNaltIsNotMeta, XtCAltIsNotMeta, screen.alt\_is\_not\_meta, False),
    

+@@ -2144,28 +2145,38 @@

  •   break;
    
  •   case 15:
    
  •   /\* printer status \*/
    

± reply.a_param[count++] = 13; /* implement printer */ ++ if (screen->terminal_id >= 200) { /* VT220 */ ++ reply.a_param[count++] = 13; /* implement printer */ ++ }

  •   break;
    
  •   case 25:
    
  •   /\* UDK status \*/
    

± reply.a_param[count++] = 20; /* UDK always unlocked */ ++ if (screen->terminal_id >= 200) { /* VT220 */ ++ reply.a_param[count++] = 20; /* UDK always unlocked */ ++ }

  •   break;
    
  •   case 26:
    
  •   /\* keyboard status \*/
    

± reply.a_param[count++] = 27; ± reply.a_param[count++] = 1; /* North American */ ± if (screen->terminal_id >= 400) { ± reply.a_param[count++] = 0; /* ready */ ± reply.a_param[count++] = 0; /* LK201 */ ++ if (screen->terminal_id >= 200) { /* VT220 */ ++ reply.a_param[count++] = 27; ++ reply.a_param[count++] = 1; /* North American */ ++ if (screen->terminal_id >= 400) { ++ reply.a_param[count++] = 0; /* ready */ ++ reply.a_param[count++] = 0; /* LK201 */ ++ }

  •   }
    
  •   break;
    
  •   case 53:
    
  •   /\* Locator status \*/
    

++ if (screen->terminal_id >= 200) { /* VT220 */

  • #if OPT_DEC_LOCATOR ± reply.a_param[count++] = 50; /* locator ready */ ++ reply.a_param[count++] = 50; /* locator ready */
  • #else ± reply.a_param[count++] = 53; /* no locator */ ++ reply.a_param[count++] = 53; /* no locator */
  • #endif ++ } ++ break; ++ default:
  •   break;
    
  •   }
    

+@@ -5525,11 +5536,13 @@

  • init\_Bres(screen.meta\_sends\_esc);
    
  • init\_Bres(screen.allowSendEvent0);
    

++ init_Bres(screen.allowFontOp0);

  • init\_Bres(screen.allowTitleOp0);
    
  • init\_Bres(screen.allowWindowOp0);
    
  • /\* make a copy so that editres cannot change the resource after startup \*/
    
  • wnew->screen.allowSendEvents = wnew->screen.allowSendEvent0;
    

++ wnew->screen.allowFontOps = wnew->screen.allowFontOp0;

  • wnew->screen.allowTitleOps = wnew->screen.allowTitleOp0;
    
  • wnew->screen.allowWindowOps = wnew->screen.allowWindowOp0;
    

+Index: xterm/misc.c +=================================================================== ±-- xterm.orig/misc.c ++++ xterm/misc.c +@@ -2348,7 +2348,8 @@

  • break;
  • case 3:           /\* change X property \*/
    

± ChangeXprop(buf); ++ if (screen->allowWindowOps) ++ ChangeXprop(buf);

  • break;
  • #if OPT_ISO_COLORS
  • case 4:
    

+@@ -2401,7 +2402,9 @@

  • case 50:
    
  • #if OPT_SHIFT_FONTS ± if (buf != 0 && !strcmp(buf, “?”)) { ++ if (!screen->allowFontOps && xw->misc.shift_fonts) { ++ ; /* disabled via resource or control-sequence */ ++ } else if (buf != 0 && !strcmp(buf, “?”)) {
  •   int num = screen->menu\_font\_number;
    
  •   unparseputc1(xw, ANSI\_OSC);
    

+@@ -2472,7 +2475,7 @@

  • #if OPT_PASTE64
  • case 52:
    

± if (screen->allowWindowOps && (buf != 0)) ++ if (screen->allowWindowOps)

  •   ManipulateSelectionData(xw, screen, buf, final);
    
  • break;
  • #endif +@@ -2813,14 +2816,17 @@
  •   } else
    
  •   okay = False;
    

± unparseputc1(xw, ANSI_DCS); ± unparseputc(xw, okay ? ‘1’ : ‘0’); ± unparseputc(xw, ‘$’); ± unparseputc(xw, ‘r’); ± if (okay) ++ if (okay) { ++ unparseputc1(xw, ANSI_DCS); ++ unparseputc(xw, okay ? ‘1’ : ‘0’); ++ unparseputc(xw, ‘$’); ++ unparseputc(xw, ‘r’);

  •   cp = reply;
    

± unparseputs(xw, cp); ± unparseputc1(xw, ANSI_ST); ++ unparseputs(xw, cp); ++ unparseputc1(xw, ANSI_ST); ++ } else { ++ unparseputc(xw, ANSI_CAN); ++ }

  • } else {
  •   unparseputc(xw, ANSI\_CAN);
    
  • } +@@ -2892,16 +2898,18 @@
  • break;
  • #endif
  • default:
    

± parse_ansi_params(&params, &cp); ± switch (params.a_final) { ± case '|’: /* DECUDK */ ± if (params.a_param[0] == 0) ± reset_decudk(); ± parse_decudk(cp); ± break; ± case '{’: /* DECDLD (no ‘}’ case though) */ ± parse_decdld(&params, cp); ± break; ++ if (screen->terminal_id >= 200) { /* VT220 */ ++ parse_ansi_params(&params, &cp); ++ switch (params.a_final) { ++ case '|’: /* DECUDK */ ++ if (params.a_param[0] == 0) ++ reset_decudk(); ++ parse_decudk(cp); ++ break; ++ case '{’: /* DECDLD (no ‘}’ case though) */ ++ parse_decdld(&params, cp); ++ break; ++ }

  • }
  • break;
  • }
    

+Index: xterm/ptyx.h +=================================================================== ±-- xterm.orig/ptyx.h ++++ xterm/ptyx.h +@@ -1405,12 +1405,17 @@

  • Boolean bellOnReset; /* bellOnReset */
  • Boolean visualbell; /* visual bell mode */
  • Boolean poponbell; /* pop on bell mode */ ++ ++ Boolean allowFontOps; /* FontOps mode */
  • Boolean allowSendEvents;/* SendEvent mode */
  • Boolean allowTitleOps; /* TitleOps mode */
  • Boolean allowWindowOps; /* WindowOps mode */ ++ ++ Boolean allowFontOp0; /* initial FontOps mode */
  • Boolean allowSendEvent0;/* initial SendEvent mode */
  • Boolean allowTitleOp0; /* initial TitleOps mode */
  • Boolean allowWindowOp0; /* initial WindowOps mode */ ++
  • Boolean awaitInput; /* select-timeout mode */
  • Boolean grabbedKbd; /* keyboard is grabbed */
  • #ifdef ALLOWLOGGING +Index: xterm/xterm.h +=================================================================== ±-- xterm.orig/xterm.h ++++ xterm/xterm.h +@@ -331,6 +331,7 @@
  • /***====================================================================***/
  • #define XtNallowC1Printable “allowC1Printable” ++#define XtNallowFontOps “allowFontOps”
  • #define XtNallowSendEvents “allowSendEvents”
  • #define XtNallowTitleOps “allowTitleOps”
  • #define XtNallowWindowOps “allowWindowOps” +@@ -485,6 +486,7 @@
  • #define XtNxmcMoveSGR “xmcMoveSGR”
  • #define XtCAllowC1Printable “AllowC1Printable” ++#define XtCAllowFontOps “AllowFontOps”
  • #define XtCAllowSendEvents “AllowSendEvents”
  • #define XtCAllowTitleOps “AllowTitleOps”
  • #define XtCAllowWindowOps “AllowWindowOps” +Index: xterm/xterm.man +=================================================================== ±-- xterm.orig/xterm.man ++++ xterm/xterm.man +@@ -1439,6 +1439,10 @@
  • Although this corresponds to no particular standard,
  • some users insist it is a VT100.
  • The default is ``false.’’ ++.TP ++.B "allowFontOps (\fPclass\fB AllowFontOps)" ++Specifies whether control sequences that set/query the font should be allowed. ++The default is ``true.’’
  • .TP 8
  • .B "allowSendEvents (\fPclass\fB AllowSendEvents)"
  • Specifies whether or not synthetic key and button events (generated using diff --git a/debian/patches/903_windowops.diff b/debian/patches/903_windowops.diff new file mode 100644 index 0000000…e7d08ac — /dev/null +++ b/debian/patches/903_windowops.diff @@ -0,0 +1,26 @@ +Index: xterm/charproc.c +=================================================================== ±-- xterm.orig/charproc.c ++++ xterm/charproc.c +@@ -391,7 +391,7 @@
  • Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0, False),
    
  • Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOp0, True),
    
  • Bres(XtNallowTitleOps, XtCAllowTitleOps, screen.allowTitleOp0, True),
    

± Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True), ++ Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, False),

  • Bres(XtNaltIsNotMeta, XtCAltIsNotMeta, screen.alt\_is\_not\_meta, False),
    
  • Bres(XtNaltSendsEscape, XtCAltSendsEscape, screen.alt\_sends\_esc, False),
    
  • Bres(XtNalwaysBoldMode, XtCAlwaysBoldMode, screen.always\_bold\_mode, False),
    

+Index: xterm/xterm.man +=================================================================== ±-- xterm.orig/xterm.man ++++ xterm/xterm.man +@@ -1460,7 +1460,7 @@

  • .B "allowWindowOps (\fPclass\fB AllowWindowOps)"
  • Specifies whether extended window control sequences (as used in dtterm)
  • should be allowed. ±The default is ``true.’’ ++The default is ``false.’’
  • .TP 8
  • .B "altIsNotMeta (\fPclass\fB AltIsNotMeta\fP)"
  • If ``true’’, treat the Alt-key as if it were the Meta-key. diff --git a/debian/patches/904_fontops.diff b/debian/patches/904_fontops.diff new file mode 100644 index 0000000…909135f — /dev/null +++ b/debian/patches/904_fontops.diff @@ -0,0 +1,26 @@ +Index: xterm/charproc.c +=================================================================== ±-- xterm.orig/charproc.c ++++ xterm/charproc.c +@@ -389,7 +389,7 @@
  • static XtResource resources[] =
  • {
  • Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0, False),
    

± Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOp0, True), ++ Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOp0, False),

  • Bres(XtNallowTitleOps, XtCAllowTitleOps, screen.allowTitleOp0, True),
    
  • Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, False),
    
  • Bres(XtNaltIsNotMeta, XtCAltIsNotMeta, screen.alt\_is\_not\_meta, False),
    

+Index: xterm/xterm.man +=================================================================== ±-- xterm.orig/xterm.man ++++ xterm/xterm.man +@@ -1442,7 +1442,7 @@

  • .TP
  • .B "allowFontOps (\fPclass\fB AllowFontOps)"
  • Specifies whether control sequences that set/query the font should be allowed. ±The default is ``true.’’ ++The default is ``false.’’
  • .TP 8
  • .B "allowSendEvents (\fPclass\fB AllowSendEvents)"
  • Specifies whether or not synthetic key and button events (generated using diff --git a/debian/patches/series b/debian/patches/series index d8267b7…0c62317 100644 — a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,6 @@ +000_backport_from_238.diff 900_debian_xterm.diff -p0 901_xterm_manpage.diff -p0 902_pointermode_never.diff -p0 +903_windowops.diff +904_fontops.diff

Bug marked as found in version 222-1. Request was from Julien Cristau [email protected] to [email protected]. (Sat, 03 Jan 2009 18:12:02 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian X Strike Force [email protected]:
Bug#510030; Package xterm. (Sat, 03 Jan 2009 18:15:02 GMT) (full text, mbox, link).

Acknowledgement sent to Florian Weimer [email protected]:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force [email protected]. (Sat, 03 Jan 2009 18:15:02 GMT) (full text, mbox, link).

Message #32 received at [email protected] (full text, mbox, reply):

* Julien Cristau:

I’m considering the below diff for lenny, please review and tell me whether this is ok for testing-security.

If I read the patch correctly, you change the compiled-in defaults. This is fine, but is somewhat different from allowWindowOps approach in etch (which shipped a configuration file). etch -> lenny updates should work as well and result in a conservative configuration choice.

For reference, I’ve attached the patch I plan to apply to the etch4 version, to reintroduce font shifting support for those who need it. If you think we need to backport more changes in #238, I’m open to that, too.

Index: git/ptyx.h

— git.orig/ptyx.h 2009-01-02 21:35:07.000000000 +0100 +++ git/ptyx.h 2009-01-02 21:35:23.000000000 +0100 @@ -1345,8 +1345,10 @@ Boolean bellOnReset; /* bellOnReset */ Boolean visualbell; /* visual bell mode */ Boolean poponbell; /* pop on bell mode */

  • Boolean allowFontOps; /* FontOps mode */ Boolean allowSendEvents;/* SendEvent mode */ Boolean allowWindowOps; /* WindowOps mode */
  • Boolean allowFontOps0; /* initial FontOps mode */ Boolean allowSendEvent0;/* initial SendEvent mode */ Boolean allowWindowOp0; /* initial WindowOps mode */ Boolean awaitInput; /* select-timeout mode */ Index: git/charproc.c =================================================================== — git.orig/charproc.c 2009-01-02 21:35:07.000000000 +0100 +++ git/charproc.c 2009-01-02 21:35:23.000000000 +0100 @@ -394,6 +394,7 @@

static XtResource resources[] = {

  • Bres(XtNallowFontOps, XtCAllowFontOps, screen.allowFontOps0, False), Bres(XtNallowSendEvents, XtCAllowSendEvents, screen.allowSendEvent0, False), Bres(XtNallowWindowOps, XtCAllowWindowOps, screen.allowWindowOp0, True), Bres(XtNalwaysHighlight, XtCAlwaysHighlight, screen.always_highlight, False), @@ -5524,10 +5525,12 @@ init_Bres(screen.meta_sends_esc);

    init_Bres(screen.allowSendEvent0);

  • init_Bres(screen.allowFontOps0); init_Bres(screen.allowWindowOp0);

    /* make a copy so that editres cannot change the resource after startup */ wnew->screen.allowSendEvents = wnew->screen.allowSendEvent0;

  • wnew->screen.allowFontOps = wnew->screen.allowFontOps0; wnew->screen.allowWindowOps = wnew->screen.allowWindowOp0;

#ifndef NO_ACTIVE_ICON Index: git/xterm.h =================================================================== — git.orig/xterm.h 2009-01-02 21:35:07.000000000 +0100 +++ git/xterm.h 2009-01-02 21:35:23.000000000 +0100 @@ -325,6 +325,7 @@ /***====================================================================***/

#define XtNallowC1Printable “allowC1Printable” +#define XtNallowFontOps “allowFontOps” #define XtNallowSendEvents “allowSendEvents” #define XtNallowWindowOps “allowWindowOps” #define XtNalwaysHighlight “alwaysHighlight” @@ -463,6 +464,7 @@ #define XtNxmcMoveSGR “xmcMoveSGR”

#define XtCAllowC1Printable “AllowC1Printable” +#define XtCAllowFontOps “AllowFontOps” #define XtCAllowSendEvents “AllowSendEvents” #define XtCAllowWindowOps “AllowWindowOps” #define XtCAlwaysHighlight “AlwaysHighlight” Index: git/xterm.man =================================================================== — git.orig/xterm.man 2009-01-02 21:35:23.000000000 +0100 +++ git/xterm.man 2009-01-02 21:35:23.000000000 +0100 @@ -1349,6 +1349,10 @@ Although this corresponds to no particular standard, some users insist it is a VT100. The default is ``false.’’ +.TP +.B "allowFontOps (\fPclass\fB AllowFontOps)" +Specifies whether control sequences that set/query the font should be allowed. +The default is ``false.’’ .TP 8 .B "allowSendEvents (\fPclass\fB AllowSendEvents)" Specifies whether or not synthetic key and button events (generated using Index: git/misc.c =================================================================== — git.orig/misc.c 2009-01-02 21:37:05.000000000 +0100 +++ git/misc.c 2009-01-02 21:37:15.000000000 +0100 @@ -1847,7 +1847,9 @@

 case 50:

#if OPT_SHIFT_FONTS

  • if (buf != 0 && !strcmp(buf, “?”)) {
  • if (!screen->allowFontOps && xw->misc.shift_fonts) {

  •   ;           /\* disabled via resource or control-sequence \*/
    
  • } else if (buf != 0 && !strcmp(buf, “?”)) { int num = screen->menu_font_number;

    unparseputc1(xw, OSC);
    

Reply sent to Florian Weimer [email protected]:
You have taken responsibility. (Sat, 03 Jan 2009 20:12:25 GMT) (full text, mbox, link).

Notification sent to Paul Szabo [email protected]:
Bug acknowledged by developer. (Sat, 03 Jan 2009 20:12:25 GMT) (full text, mbox, link).

Message #37 received at [email protected] (full text, mbox, reply):

Source: xterm Source-Version: 222-1etch3

We believe that the bug you reported is fixed in the latest version of xterm, which is due to be installed in the Debian FTP archive:

xterm_222-1etch3.diff.gz to pool/main/x/xterm/xterm_222-1etch3.diff.gz xterm_222-1etch3.dsc to pool/main/x/xterm/xterm_222-1etch3.dsc xterm_222-1etch3_amd64.deb to pool/main/x/xterm/xterm_222-1etch3_amd64.deb

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Florian Weimer [email protected] (supplier of updated xterm package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Format: 1.7 Date: Mon, 29 Dec 2008 19:55:02 +0100 Source: xterm Binary: xterm Architecture: source amd64 Version: 222-1etch3 Distribution: stable-security Urgency: high Maintainer: Debian X Strike Force [email protected] Changed-By: Florian Weimer [email protected] Description: xterm - X terminal emulator Closes: 510030 Changes: xterm (222-1etch3) stable-security; urgency=high . * Apply patch from Paul Szabo to fix command injection through DECRQSS sequences (CVE-2008-2383). Closes: #510030. * Disable font shifting, X property changes and user-defined keys through escape sequences. * Update manpage to document that allowWindowOps is disabled. Files: 3bcc850fe7c9057e5d5d03617cc95195 1123 x11 optional xterm_222-1etch3.dsc bb77882a33083632a9c6c9de004a54fb 802986 x11 optional xterm_222.orig.tar.gz f1e11e4f4c85db1e2ffa67c5d132d2e6 61664 x11 optional xterm_222-1etch3.diff.gz 46ba9b4430c313464afeaa856d02f09a 416434 x11 optional xterm_222-1etch3_amd64.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJWR4ZAAoJEL97/wQC1SS+KRgH/iW0y9ELbX5gUQesaLPkm2CW tZkUbpUsLABkXS1oCaFMq5TM9S07s9axQwd2QJnhqAe8eyEHsHw3m4TYeJlstFU4 VRU6RhtxgFGWggerJ+offTf9tSHk2AMnGpImH9mupSnAK9V71/1lxnnt1Ho76wjg 3Wsg8RlYWn+4RP3QqOF09HaDrgbsYUqwk5cqFwI3cpNsy7NtqdLbL8W4qFib5l2v IngsmRObVJcprXJIQKe1egmcMUjoCJMHWXDWdARh7BhrpuYJw0aK6GUq1PVYzL+3 XlBw9eQ2Rfp1SQInSvZDDR3vaJNr+nTs3OObfImDXPOU+q7wHuR/6m0//0siHmA= =FO61 -----END PGP SIGNATURE-----

Reply sent to Julien Cristau [email protected]:
You have taken responsibility. (Mon, 05 Jan 2009 12:09:06 GMT) (full text, mbox, link).

Notification sent to Paul Szabo [email protected]:
Bug acknowledged by developer. (Mon, 05 Jan 2009 12:09:06 GMT) (full text, mbox, link).

Message #42 received at [email protected] (full text, mbox, reply):

Source: xterm Source-Version: 235-2

We believe that the bug you reported is fixed in the latest version of xterm, which is due to be installed in the Debian FTP archive:

xterm_235-2.diff.gz to pool/main/x/xterm/xterm_235-2.diff.gz xterm_235-2.dsc to pool/main/x/xterm/xterm_235-2.dsc xterm_235-2_i386.deb to pool/main/x/xterm/xterm_235-2_i386.deb

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Julien Cristau [email protected] (supplier of updated xterm package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Format: 1.8 Date: Sun, 04 Jan 2009 15:18:16 +0100 Source: xterm Binary: xterm Architecture: source i386 Version: 235-2 Distribution: testing-security Urgency: high Maintainer: Debian X Strike Force [email protected] Changed-By: Julien Cristau [email protected] Description: xterm - X terminal emulator Closes: 510030 Changes: xterm (235-2) testing-security; urgency=high . * Backport changes from xterm 238: - make OSC 3 (change X property) subject to allowWindowOps resource - make VT220 DSR responses inactive in VT100-mode - make DECUDK feature inactive in VT100-mode - respond to incorrectly formatted DECRQSS with a cancel (CVE-2008-2383; closes: #510030) - add allowFontOps resource to allow the fontsize-switching and font query/set control sequences to be enabled/disabled * Additionally, change the default values for allowFontOps and allowWindowOps to false. Checksums-Sha1: 551c5738c2edd7862c663e0c22510c1e5c2352e5 1344 xterm_235-2.dsc 4d449a9e50e342e0b7a6deba9d713e6ba9323d1e 857714 xterm_235.orig.tar.gz e6005f418e6122e01bface73d3bfad03f677c73c 64638 xterm_235-2.diff.gz f381d42826974bd23d8f7bae4b6d1beb972d6eec 471456 xterm_235-2_i386.deb Checksums-Sha256: dea9f0458aeb907d98f2d4b1fcfa6a8ee8c44d795edb4d70943f7a7320113c33 1344 xterm_235-2.dsc c8a7ccb515b967a11dc2ac1061943cddbf0b6640de89f72590b1ff79e69a49cf 857714 xterm_235.orig.tar.gz 225f117619c4294b295d742fa60a8433ccaa9924f2d5b3e23284c1b9aff9c8fb 64638 xterm_235-2.diff.gz 0af69008cacf9b5e96b1ba93fb61ca12824e89c681148acb129a5d9b956ed22a 471456 xterm_235-2_i386.deb Files: 1cd51bceadfae07f71d2fea60cf59eca 1344 x11 optional xterm_235-2.dsc 5060cab9cef0ea09a24928f3c7fbde2b 857714 x11 optional xterm_235.orig.tar.gz 9dbeb11f892c79ad17f1c3c23367605a 64638 x11 optional xterm_235-2.diff.gz dfa965c1f29ab512c12c266c97bd3616 471456 x11 optional xterm_235-2_i386.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklhLOMACgkQmEvTgKxfcAyeYgCdGJ9nmosx3CpHA7a7YOEYQ4UH Vi4AoNz+A/43/hTDVabEsIalKYc0NJ59 =Wbku -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Tue, 10 Feb 2009 07:28:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Wed Jul 26 02:31:08 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Related news

CVE-2023-39726: ""?! ANSI Terminal security in 2023 and finding 10 CVEs

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

CVE-2022-23465: Attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malici

SwiftTerm is a Xterm/VT100 Terminal emulator. Prior to commit a94e6b24d24ce9680ad79884992e1dff8e150a31, an attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Version a94e6b24d24ce9680ad79884992e1dff8e150a31 contains a patch for this issue. There are no known workarounds available.

CVE-2022-41138: arbitrary code execution via DECRQSS (like CVE-2008-2383)

In Zutty before 0.13, DECRQSS in text written to the terminal can achieve arbitrary code execution.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907