Debian Bug report logs - #384593
xterm: allowWindowOps should be disabled by default

version graph

Package: xterm; Maintainer for xterm is Debian X Strike Force <debian-x@lists.debian.org>; Source for xterm is src:xterm.

Reported by: Samuel Thibault <samuel.thibault@ens-lyon.org>

Date: Fri, 25 Aug 2006 10:18:12 UTC

Severity: grave

Tags: fixed, fixed-upstream, patch, security

Found in version xterm/210-3

Fixed in version 210-3.1

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Samuel Thibault <samuel.thibault@ens-lyon.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xterm: allowWindowOps should be disabled by default
Date: Fri, 25 Aug 2006 12:04:10 +0200
[Message part 1 (text/plain, inline)]
Package: xterm
Version: 210-3
Severity: grave
Tags: security patch
Justification: user security hole

Hi,

There are some concerns with the window operations that XTerm
emulates. CSI 21t (report window title) in particular, because since OSC
0/1/2 ST let you decide of the window title, one can decide what CSI 21t
returns, which might then be read by the user's shell as a command to
execute.  The "xterm-security" attached file is an example of how this
might be exploited: just "cat" it from any shell running in uxterm or
xterm, ls gets executed.

I know, "people should be capable of using a pager to view log-files."
But people are not necessarily aware that displaying a mere file in a
terminal might have such nefarious effect.  So I'm wondering whether it
might be preferable to disable allowWindowOps by default (the proposed
patch does this), or at least add a new resource (disabled by default)
for selectively enabling CSI 21t if the user really wants it.

Another possibility would be to disable \n in titles that are accepted,
but that doesn't prevent other possible attacks.

Note: among other x terminal emulators, I haven't found any other that
implement CSI 21t, so only xterm seems to need patching.

Samuel

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages xterm depends on:
ii  libc6                         2.3.6-15   GNU C Library: Shared libraries
ii  libfontconfig1                2.3.2-7    generic font configuration library
ii  libice6                       1:1.0.0-3  X11 Inter-Client Exchange library
ii  libncurses5                   5.5-2      Shared libraries for terminal hand
ii  libsm6                        1:1.0.0-4  X11 Session Management library
ii  libx11-6                      2:1.0.0-8  X11 client-side library
ii  libxaw7                       1:1.0.1-5  X11 Athena Widget library
ii  libxext6                      1:1.0.0-4  X11 miscellaneous extension librar
ii  libxft2                       2.1.8.2-8  FreeType-based font drawing librar
ii  libxmu6                       1:1.0.1-3  X11 miscellaneous utility library
ii  libxt6                        1:1.0.0-5  X11 toolkit intrinsics library
ii  xbitmaps                      1.0.1-2    Base X bitmaps

Versions of packages xterm recommends:
ii  xutils                        1:7.1.ds-1 X Window System utility programs

-- no debconf information

-- 
Samuel Thibault <samuel.thibault@ens-lyon.org>
What's this script do?
    unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep
Hint for the answer: not everything is computer-oriented. Sometimes you're
in a sleeping bag, camping out.
(Contributed by Frans van der Zande.)
[patch (text/plain, attachment)]
[xterm-security (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Samuel Thibault <samuel.thibault@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 384593@bugs.debian.org (full text, mbox):

From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: 384593@bugs.debian.org, control@bugs.debian.org
Subject: xterm: allowWindowOps should be disabled by default
Date: Tue, 5 Sep 2006 11:37:16 +0200
tags 384593 + fixed-upstream
thanks

This got fixed upstream in version 218.

Samuel



Tags added: fixed-upstream Request was from Samuel Thibault <samuel.thibault@ens-lyon.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@radix.net>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #17 received at 384593@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: Samuel Thibault <samuel.thibault@ens-lyon.org>, 384593@bugs.debian.org
Subject: Re: Bug#384593: xterm: allowWindowOps should be disabled by default
Date: Tue, 5 Sep 2006 07:07:44 -0400
[Message part 1 (text/plain, inline)]
On Tue, Sep 05, 2006 at 12:00:14PM +0200, Samuel Thibault wrote:
> tags 384593 + fixed-upstream
> thanks
> 
> This got fixed upstream in version 218.

hmm - no.  I implied that you should get the Debian package changed.

Current upstream is #219, btw.

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Thomas Dickey <dickey@radix.net>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #22 received at 384593@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@radix.net>
To: Samuel Thibault <samuel.thibault@ens-lyon.org>, 384593@bugs.debian.org
Subject: Re: Bug#384593: xterm: allowWindowOps should be disabled by default
Date: Tue, 5 Sep 2006 07:12:51 -0400
[Message part 1 (text/plain, inline)]
On Tue, Sep 05, 2006 at 12:00:14PM +0200, Samuel Thibault wrote:
> tags 384593 + fixed-upstream
> thanks
> 
> This got fixed upstream in version 218.

The #218 fix wasn't for the app-defaults setting, but to fix the bug that
you reported with regard to non-printing characters.

While testing this, I did notice that not all of the terminal emulators
in Debian had eliminated the title-response string which is addressed by
the allowWindowOps resource.  I'm reluctant to change the default resource
value since (without a solid policy enforced for _all_ terminal emulators),
it only would add to the bug reports that I have to deal with.

-- 
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to Samuel Thibault <samuel.thibault@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #27 received at 384593@bugs.debian.org (full text, mbox):

From: Samuel Thibault <samuel.thibault@ens-lyon.org>
To: Thomas Dickey <dickey@radix.net>
Cc: 384593@bugs.debian.org
Subject: Re: Bug#384593: xterm: allowWindowOps should be disabled by default
Date: Tue, 5 Sep 2006 13:45:39 +0200
Thomas Dickey, le Tue 05 Sep 2006 07:12:51 -0400, a écrit :
> On Tue, Sep 05, 2006 at 12:00:14PM +0200, Samuel Thibault wrote:
> > tags 384593 + fixed-upstream
> > thanks
> > 
> > This got fixed upstream in version 218.
> 
> The #218 fix wasn't for the app-defaults setting, but to fix the bug that
> you reported with regard to non-printing characters.

Yes, and this fixes the eventual security issue that I raised.

> While testing this, I did notice that not all of the terminal emulators
> in Debian had eliminated the title-response string which is addressed by
> the allowWindowOps resource.

Oh ? I tested a lot of them, and couldn't find any that provides it.

Samuel



Tags added: fixed Request was from Christoph Berg <myon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Message #32 received at 384593@bugs.debian.org (full text, mbox):

From: Christoph Berg <myon@debian.org>
To: 384593@bugs.debian.org
Subject: Re: Fixed in NMU of xterm 210-3.1
Date: Fri, 15 Sep 2006 20:00:50 +0200
[Message part 1 (text/plain, inline)]
Here's the patch for the NMU:

debdiff xterm_210-3.dsc xterm_210-3.1.dsc
 xterm-210/debian/patches/series      |    1 +
 xterm-210/debian/changelog           |    8 ++++++++
 debian/patches/902_disallowWindowOps |   10 ++++++++++
 3 files changed, 19 insertions(+)

diff -u xterm-210/debian/patches/series xterm-210/debian/patches/series
--- xterm-210/debian/patches/series
+++ xterm-210/debian/patches/series
@@ -2,0 +3 @@
+902_disallowWindowOps
diff -u xterm-210/debian/changelog xterm-210/debian/changelog
--- xterm-210/debian/changelog
+++ xterm-210/debian/changelog
@@ -1,3 +1,11 @@
+xterm (210-3.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Apply patch by Samuel Thibault to disable allowWindowOps in XTerm.ad
+    (Closes: #384593).
+
+ -- Christoph Berg <myon@debian.org>  Fri, 15 Sep 2006 16:18:06 +0200
+
 xterm (210-3) unstable; urgency=low
 
   * Depend on xbitmaps rather than xlibs-data.
only in patch2:
unchanged:
--- xterm-210.orig/debian/patches/902_disallowWindowOps
+++ xterm-210/debian/patches/902_disallowWindowOps
@@ -0,0 +1,10 @@
+Index: xterm-210/XTerm.ad
+===================================================================
+--- xterm-210.orig/XTerm.ad	2006-09-15 16:17:12.000000000 +0200
++++ xterm-210/XTerm.ad	2006-09-15 16:17:19.000000000 +0200
+@@ -190,3 +190,5 @@
+ !
+ ! Alternatively,
+ !*on2Clicks: regex [[:alpha:]]+://([[:alnum:]!#+,./=?@~-]|(%[[:xdigit:]][[:xdigit:]]))+
++
++*allowWindowOps: false

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#384593; Package xterm. Full text and rfc822 format available.

Acknowledgement sent to David Madore <david.madore@ens.fr>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #37 received at 384593@bugs.debian.org (full text, mbox):

From: David Madore <david.madore@ens.fr>
To: 384593@bugs.debian.org
Subject: Re: xterm: allowWindowOps should be disabled by default
Date: Sun, 24 Sep 2006 08:31:55 +0200
On Fri, Aug 25, 2006 at 12:04:10PM +0200, Samuel Thibault wrote:
> There are some concerns with the window operations that XTerm
> emulates. CSI 21t (report window title) in particular, because since OSC
> 0/1/2 ST let you decide of the window title, one can decide what CSI 21t
> returns, which might then be read by the user's shell as a command to
> execute.  The "xterm-security" attached file is an example of how this
> might be exploited: just "cat" it from any shell running in uxterm or
> xterm, ls gets executed.

Incidentally, I believe this is (or was) a regression: something like
ten years ago, I went through all xterm sequences to see if some could
be exploited in the way you describe, and I came to the conclusion, at
the time, that the window title channel was not exploitable (probably
because xterm sanitized the contents in some way), so I'm surprised to
find this creeping up now.  But maybe it was a different race of xterm
(like, Solaris OpenWindows, pre-X11R6), and I'm a little lost in the
pedigree of this program.  Maybe my memory serves me badly: I also
seem to recall that one potentially exploitable functionality of xterm
was some way of redefining keys to arbitrary character sequences -
apparently either this is now gone or perhaps I dreamed the whole
thing up.

Sorry for ranting. :-)

-- 
     David A. Madore
    (david.madore@ens.fr,
     http://www.madore.org/~david/ )



Bug marked as fixed in version 210-3.1, send any further explanations to Samuel Thibault <samuel.thibault@ens-lyon.org> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Samuel Thibault <samuel.thibault@ens-lyon.org>:
Bug#384593. Full text and rfc822 format available.

Message #42 received at 384593-submitter@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 380056-submitter@bugs.debian.org, 380123-submitter@bugs.debian.org, 380147-submitter@bugs.debian.org, 380466-submitter@bugs.debian.org, 380581-submitter@bugs.debian.org, 380589-submitter@bugs.debian.org, 380723-submitter@bugs.debian.org, 380728-submitter@bugs.debian.org, 380801-submitter@bugs.debian.org, 380872-submitter@bugs.debian.org, 380915-submitter@bugs.debian.org, 380993-submitter@bugs.debian.org, 381005-submitter@bugs.debian.org, 381068-submitter@bugs.debian.org, 381110-submitter@bugs.debian.org, 381225-submitter@bugs.debian.org, 381338-submitter@bugs.debian.org, 381390-submitter@bugs.debian.org, 381452-submitter@bugs.debian.org, 381456-submitter@bugs.debian.org, 381624-submitter@bugs.debian.org, 381646-submitter@bugs.debian.org, 381816-submitter@bugs.debian.org, 382096-submitter@bugs.debian.org, 382114-submitter@bugs.debian.org, 382131-submitter@bugs.debian.org, 382214-submitter@bugs.debian.org, 382260-submitter@bugs.debian.org, 382400-submitter@bugs.debian.org, 382491-submitter@bugs.debian.org, 382512-submitter@bugs.debian.org, 382642-submitter@bugs.debian.org, 382769-submitter@bugs.debian.org, 382783-submitter@bugs.debian.org, 382807-submitter@bugs.debian.org, 382867-submitter@bugs.debian.org, 382951-submitter@bugs.debian.org, 382958-submitter@bugs.debian.org, 383175-submitter@bugs.debian.org, 383314-submitter@bugs.debian.org, 383426-submitter@bugs.debian.org, 383565-submitter@bugs.debian.org, 383569-submitter@bugs.debian.org, 383616-submitter@bugs.debian.org, 383823-submitter@bugs.debian.org, 384057-submitter@bugs.debian.org, 384081-submitter@bugs.debian.org, 384223-submitter@bugs.debian.org, 384282-submitter@bugs.debian.org, 384356-submitter@bugs.debian.org, 384358-submitter@bugs.debian.org, 384489-submitter@bugs.debian.org, 384507-submitter@bugs.debian.org, 384566-submitter@bugs.debian.org, 384593-submitter@bugs.debian.org, 384725-submitter@bugs.debian.org, 384750-submitter@bugs.debian.org, 384756-submitter@bugs.debian.org, 384772-submitter@bugs.debian.org, 384825-submitter@bugs.debian.org, 384826-submitter@bugs.debian.org, 384937-submitter@bugs.debian.org, 384995-submitter@bugs.debian.org, 385062-submitter@bugs.debian.org, 385080-submitter@bugs.debian.org, 385177-submitter@bugs.debian.org, 385378-submitter@bugs.debian.org, 385643-submitter@bugs.debian.org, 385696-submitter@bugs.debian.org, 385800-submitter@bugs.debian.org, 385819-submitter@bugs.debian.org, 385820-submitter@bugs.debian.org, 385827-submitter@bugs.debian.org, 385828-submitter@bugs.debian.org, 385829-submitter@bugs.debian.org, 385830-submitter@bugs.debian.org, 385831-submitter@bugs.debian.org, 385835-submitter@bugs.debian.org, 385837-submitter@bugs.debian.org, 385839-submitter@bugs.debian.org, 385841-submitter@bugs.debian.org, 385943-submitter@bugs.debian.org, 378525-submitter@bugs.debian.org, 378699-submitter@bugs.debian, org@mauritius.dodds.net, 379208-submitter@bugs.debian.org, 374601-submitter@bugs.debian.org, 388193-submiter@bugs.debian.org, 366090-submitter@bugs.debian.org, 343015-submitter@bugs.debian.org, 342963-submitter@bugs.debian.org, 342962-submitter@bugs.debian.org, 342966-submitter@bugs.debian.org, 342997-submitter@bugs.debian.org, 343000-submitter@bugs.debian.org
Subject: Bugs fixed in NMU, documenting versions
Date: Sun, 22 Oct 2006 01:59:27 -0700
# Hi folks,
#
# All of these bugs have been fixed in NMU, but not acknowledged by the
# maintainers.  With version tracking in the Debian BTS, it is important to
# know which version of a package fixes each bug so that they can be tracked
# for release status in the BTS, so I'm closing these bugs with the relevant
# version number information now.

close 380056 0.4.2-3.2
close 380123 1.1.3-5.3
close 380147 0.4.14-1.1
close 380466 0.3.9-1.1
close 380581 0.3.7-1.1
close 380589 1:1.0.0-rel-3.1
close 380723 0.0.43-0.3
close 380728 0.3.2-7.1
close 380801 3.0.3-3.1
close 380872 0.4-1.1
close 380915 0.8-1.1
close 380993 2.4.0-3.1
close 381005 1:1.0-3.1
close 381068 0.4.7-1.1
close 381110 2.6.3.2.1.2
close 381225 1:1.0.1-4.1
close 381338 2.3.4-3.1
close 381390 2.1.1-5.2
close 381452 21.4a-6.2
close 381456 0.3.4.cvs.20050813-2.2
close 381624 3.6.13-3.6
close 381646 7.4-3.1
close 381816 6.2.10-4.1
close 382096 1.3.29-2.1
close 382114 1:1.2.4.1-6.1
close 382131 1.9.6-3.1
close 382214 0.4.7-1.1
close 382260 1.13-1.1
close 382400 0.87.5-2
close 382491 0.2.1-1.1
close 382512 1.0.0-9.2
close 382642 2.2.3-1.1
close 382769 0.2.12-1.2
close 382783 1.0.57-2.3
close 382807 0.5.4-0.1
close 382867 0.10-1.1
close 382951 2.6.3.2.1.5
close 382958 1.0.5-1.1
close 383175 0.1.8.1-3.1
close 383314 7:6.2.4.5.dfsg1-0.10
close 383426 4.0.6-2.1
close 383565 0.1.6.9-1.1
close 383569 0.95-2.1
close 383616 1.0.5-1.1
close 383823 2.2.0-2.1
close 384057 6.5.0.cvs.20060524-1.1
close 384081 1:5.22-1.1
close 384223 0.80+dfsg-1
close 384282 6.5.0.cvs.20060524-1.1
close 384356 0.9.10-3.1
close 384358 0.88-3.1
close 384489 0.4.2-7.1
close 384507 0.4.20-12.1
close 384566 0.13-3.3
close 384593 210-3.1
close 384725 2.8.5-2sarge1.2
close 384750 0.9.2+cvs.1.0.dev.2004.07.28-4.1
close 384756 0.15.0-1.1
close 384772 0.9.6-1.1
close 384825 0.0.43-0.4
close 384937 0.03-1.1
close 384995 0.5-1.1
close 385062 7:6.2.4.5.dfsg1-0.10
close 385080 1.3.29-2.1
close 385177 1.1.3-1.2
close 385378 0.33.3-1.1
close 385643 0.07-1.1
close 385696 2.5.3-4.1
close 385800 3.4.2-1.1
close 385819 0.6.6-6.1
close 385820 0.6.6-4.1
close 385827 3.5-9.1
close 385828 1.3.2-3.3
close 385829 1.4.3-17.2
close 385830 0.5-8.1
close 385831 2.0.9-1.2
close 385835 3.0.9-2.1
close 385837 0.3-5.2
close 385839 2.3.0-1
close 385841 1.1pre14-2.1
close 385943 2.8.5-1.1
thanks

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 04:46:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 22:58:38 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.