Report forwarded to debian-bugs-dist@lists.debian.org, debian-security@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
New Bug report received and forwarded. Copy sent to debian-security@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
Subject: rxvt: [SECURITY] opens terminal on unspecified display
Date: Tue, 4 Mar 2008 14:30:38 +0100
Package: rxvt
Version: 1:2.6.4-12
Severity: grave
Tags: security
If the DISPLAY environment is not set, rxvt opens an xterm on :0,
which on some headless login-server means anyone can setup an
fake X server waiting for someone loggin in without X forwarding
to start rxvt by some mistake or by some program (thus without even
noticing) and getting full shell access to that other account.
Hochachtungsvoll,
Bernhard R. Link
Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
Hi,
I requested a CVE id for this.
Did you also test other terminal emulators?
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
Wow, you really consider is a security issue? When a user does a
mistake?
--
Lubomir Kundrak (Red Hat Security Response Team)
Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
Hi,
I don't think its a user mistake if rxvt does not return a
message that DISPLAY is not set and uses a "random" one
instead.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Bug marked as found in version 1:2.6.4-10.
Request was from "Bernhard R. Link" <brlink@debian.org>
to control@bugs.debian.org.
(Thu, 06 Mar 2008 10:48:02 GMT) (full text, mbox, link).
Tags added: etch, lenny, sid
Request was from "Bernhard R. Link" <brlink@debian.org>
to control@bugs.debian.org.
(Thu, 06 Mar 2008 10:48:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to 469296@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
Subject: Re: rxvt: [SECURITY] opens terminal on unspecified display
Date: Thu, 6 Mar 2008 11:58:51 +0100
* Nico Golde <nion@debian.org> [080304 15:07]:
> Did you also test other terminal emulators?
No, I just stumbled over rxvt poping up on an unexpected place.
* Nico Golde <nion@debian.org> [080305 12:54]:
> I don't think its a user mistake if rxvt does not return a
> message that DISPLAY is not set and uses a "random" one
> instead.
I think a random one would be more harmless. This way it is a
predictable, so any user (even daemon or nobody) can just open :0
and wait for connections as long as no :0 is already running.
Hochachtungsvoll,
Bernhard R. Link
P.S: you only wrote your mail to the bug, not to the submitter, so
I only accidentially saw it. (Now I subscribed, so I will get them).
Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
Hi Bernhard,
* Bernhard R. Link <brlink@debian.org> [2008-03-06 12:13]:
> * Nico Golde <nion@debian.org> [080304 15:07]:
> * Nico Golde <nion@debian.org> [080305 12:54]:
> > I don't think its a user mistake if rxvt does not return a
> > message that DISPLAY is not set and uses a "random" one
> > instead.
>
> I think a random one would be more harmless. This way it is a
> predictable, so any user (even daemon or nobody) can just open :0
> and wait for connections as long as no :0 is already running.
Sorry if that was not clear, that's why I put the quotes
around the word random.
By the way, we are currently discussing[0] this issue on:
http://oss-security.openwall.org/wiki/mailinglists, if you
have time feel free to join the discussion.
> P.S: you only wrote your mail to the bug, not to the submitter, so
> I only accidentially saw it. (Now I subscribed, so I will get them).
Ah sorry, usually I hit group-reply, happens to many bugs to
cope with...
[0] http://marc.info/?t=120464358500002&r=1&w=2
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Severity set to `important' from `grave'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 10 Mar 2008 15:00:22 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>: Bug#469296; Package rxvt.
(full text, mbox, link).
Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>.
(full text, mbox, link).
package rxvt
tag 469296 + patch
thanks
Attached is a patch for rxvt to not use :0 if unset both in rxvt
and in rclock. (The last is no security problem, but just annoying to
have to wait for an error message when it is not set).
Hochachtungsvoll,
Bernhard R. Link
Tags added: patch
Request was from "Bernhard R. Link" <brlink@debian.org>
to control@bugs.debian.org.
(Fri, 28 Mar 2008 12:42:03 GMT) (full text, mbox, link).
Tags added: pending
Request was from Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
to control@bugs.debian.org.
(Fri, 11 Apr 2008 00:36:04 GMT) (full text, mbox, link).
Reply sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Bernhard R. Link" <brlink@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
From: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
To: 469296-close@bugs.debian.org
Subject: Bug#469296: fixed in rxvt 1:2.6.4-13
Date: Fri, 11 Apr 2008 17:03:16 +0000
Source: rxvt
Source-Version: 1:2.6.4-13
We believe that the bug you reported is fixed in the latest version of
rxvt, which is due to be installed in the Debian FTP archive:
rxvt-ml_2.6.4-13_sparc.deb
to pool/main/r/rxvt/rxvt-ml_2.6.4-13_sparc.deb
rxvt_2.6.4-13.diff.gz
to pool/main/r/rxvt/rxvt_2.6.4-13.diff.gz
rxvt_2.6.4-13.dsc
to pool/main/r/rxvt/rxvt_2.6.4-13.dsc
rxvt_2.6.4-13_sparc.deb
to pool/main/r/rxvt/rxvt_2.6.4-13_sparc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 469296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated rxvt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 11 Apr 2008 01:36:43 +0200
Source: rxvt
Binary: rxvt rxvt-ml
Architecture: source sparc
Version: 1:2.6.4-13
Distribution: unstable
Urgency: low
Maintainer: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description:
rxvt - VT102 terminal emulator for the X Window System
rxvt-ml - multi-lingual VT102 terminal emulator for the X Window System
Closes: 462512469296
Changes:
rxvt (1:2.6.4-13) unstable; urgency=low
.
* Include a patch by Wolfgang Pietsch to make rclock's hour hand
move smoothly.
* Adjust the menu files to the new policy.
* Bump Standards version to 3.7.3.
* Fix NAME manpage sections to please mandb.
* Intersperse 'make clean' invocations between the builds of the
several build flavours. Closes: #462512.
* Do not silently default to display ":0" if DISPLAY is unset.
Closes: #469296.
* Add watch file.
Checksums-Sha1:
3f195d155a050503e6182efafdb96b057368bfe7 982 rxvt_2.6.4-13.dsc
ab23198ef0304a6dcd7bca3362877eb6e899f86b 25986 rxvt_2.6.4-13.diff.gz
babf4fbaad0457c4db02db09f7ba303fe9c391c1 217802 rxvt_2.6.4-13_sparc.deb
4e32c63cdf408bdaaf2d033d564d5acebcb5c0be 346818 rxvt-ml_2.6.4-13_sparc.deb
Checksums-Sha256:
537e54ec92d617cc9e9d07f3b9e56279e585f8163c773fce612b66d660d4dcc3 982 rxvt_2.6.4-13.dsc
d13a04cdc877ec12497eb689972210f98524e9ab59578a308a0e64a74b9c8c7e 25986 rxvt_2.6.4-13.diff.gz
90f65b8128bee472441e6d1ad9bfddb50eb3fcc0750d052f7a6b1b008ae7e6df 217802 rxvt_2.6.4-13_sparc.deb
a97a354a87b97ca83308c837957dec58c36d87a4d277fb357ec8a8144395132d 346818 rxvt-ml_2.6.4-13_sparc.deb
Files:
fcc92ad1bd9b15e9a3be92cab9e90c38 982 x11 optional rxvt_2.6.4-13.dsc
8ae1137e1704b45efed5d64eeb6d7040 25986 x11 optional rxvt_2.6.4-13.diff.gz
98b2acfad2c477463f9b7bf35149bed1 217802 x11 optional rxvt_2.6.4-13_sparc.deb
2ab09ff7ec7c32b3d529b85e4020f9c4 346818 x11 optional rxvt-ml_2.6.4-13_sparc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH/5f20fhX0Y/ocz0RAj+oAJ9+E+U4Z/2PBMMkHR5r1kc/NRw6KgCggFFP
T+hVdTEM7hNtYtz91XYDdEg=
=vSFS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 14 May 2008 07:48:11 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.