Debian Bug report logs - #469296
rxvt: [SECURITY] opens terminal on unspecified display

version graph

Package: rxvt; Maintainer for rxvt is Ryan Kavanagh <rak@debian.org>; Source for rxvt is src:rxvt-unicode (PTS, buildd, popcon).

Reported by: "Bernhard R. Link" <brlink@debian.org>

Date: Tue, 4 Mar 2008 13:33:02 UTC

Severity: important

Tags: etch, lenny, patch, security, sid

Found in versions rxvt/1:2.6.4-12, rxvt/1:2.6.4-10

Fixed in version rxvt/1:2.6.4-13

Done: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-security@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
New Bug report received and forwarded. Copy sent to debian-security@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Bernhard R. Link" <brlink@debian.org>
To: submit@bugs.debian.org
Subject: rxvt: [SECURITY] opens terminal on unspecified display
Date: Tue, 4 Mar 2008 14:30:38 +0100
Package: rxvt
Version: 1:2.6.4-12
Severity: grave
Tags: security

If the DISPLAY environment is not set, rxvt opens an xterm on :0,
which on some headless login-server means anyone can setup an
fake X server waiting for someone loggin in without X forwarding
to start rxvt by some mistake or by some program (thus without even
noticing) and getting full shell access to that other account.

Hochachtungsvoll,
	Bernhard R. Link




Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #10 received at 469296@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 469296@bugs.debian.org
Subject: Re: rxvt: [SECURITY] opens terminal on unspecified display
Date: Tue, 4 Mar 2008 16:07:23 +0100
[Message part 1 (text/plain, inline)]
Hi,
I requested a CVE id for this.
Did you also test other terminal emulators?

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #15 received at 469296@bugs.debian.org (full text, mbox, reply):

From: Lubomir Kundrak <lkundrak@redhat.com>
To: 469296@bugs.debian.org
Date: Tue, 04 Mar 2008 22:22:24 +0100
Wow, you really consider is a security issue? When a user does a
mistake?
-- 
Lubomir Kundrak (Red Hat Security Response Team)





Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #20 received at 469296@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 469296@bugs.debian.org
Subject: Re: rxvt: [SECURITY] opens terminal on unspecified display
Date: Wed, 5 Mar 2008 12:54:18 +0100
[Message part 1 (text/plain, inline)]
Hi,
I don't think its a user mistake if rxvt does not return a
message that DISPLAY is not set and uses a "random" one
instead.
Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug marked as found in version 1:2.6.4-10. Request was from "Bernhard R. Link" <brlink@debian.org> to control@bugs.debian.org. (Thu, 06 Mar 2008 10:48:02 GMT) (full text, mbox, link).


Tags added: etch, lenny, sid Request was from "Bernhard R. Link" <brlink@debian.org> to control@bugs.debian.org. (Thu, 06 Mar 2008 10:48:03 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to 469296@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #29 received at 469296@bugs.debian.org (full text, mbox, reply):

From: "Bernhard R. Link" <brlink@debian.org>
To: Nico Golde <nion@debian.org>
Cc: 469296@bugs.debian.org
Subject: Re: rxvt: [SECURITY] opens terminal on unspecified display
Date: Thu, 6 Mar 2008 11:58:51 +0100
* Nico Golde <nion@debian.org> [080304 15:07]:
> Did you also test other terminal emulators?

No, I just stumbled over rxvt poping up on an unexpected place.

* Nico Golde <nion@debian.org> [080305 12:54]:
> I don't think its a user mistake if rxvt does not return a
> message that DISPLAY is not set and uses a "random" one
> instead.

I think a random one would be more harmless. This way it is a
predictable, so any user (even daemon or nobody) can just open :0
and wait for connections as long as no :0 is already running.

Hochachtungsvoll,
	Bernhard R. Link

P.S: you only wrote your mail to the bug, not to the submitter, so
I only accidentially saw it. (Now I subscribed, so I will get them).




Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #34 received at 469296@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 469296@bugs.debian.org
Subject: Re: rxvt: [SECURITY] opens terminal on unspecified display
Date: Thu, 6 Mar 2008 14:02:20 +0100
[Message part 1 (text/plain, inline)]
Hi Bernhard,
* Bernhard R. Link <brlink@debian.org> [2008-03-06 12:13]:
> * Nico Golde <nion@debian.org> [080304 15:07]:
> * Nico Golde <nion@debian.org> [080305 12:54]:
> > I don't think its a user mistake if rxvt does not return a
> > message that DISPLAY is not set and uses a "random" one
> > instead.
> 
> I think a random one would be more harmless. This way it is a
> predictable, so any user (even daemon or nobody) can just open :0
> and wait for connections as long as no :0 is already running.

Sorry if that was not clear, that's why I put the quotes 
around the word random.

By the way, we are currently discussing[0] this issue on:
http://oss-security.openwall.org/wiki/mailinglists, if you 
have time feel free to join the discussion.

> P.S: you only wrote your mail to the bug, not to the submitter, so
> I only accidentially saw it. (Now I subscribed, so I will get them).

Ah sorry, usually I hit group-reply, happens to many bugs to 
cope with...

[0] http://marc.info/?t=120464358500002&r=1&w=2

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Severity set to `important' from `grave' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 10 Mar 2008 15:00:22 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
Bug#469296; Package rxvt. (full text, mbox, link).


Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>. (full text, mbox, link).


Message #41 received at 469296@bugs.debian.org (full text, mbox, reply):

From: "Bernhard R. Link" <brlink@debian.org>
To: 469296@bugs.debian.org
Subject: patch to make rxvt not use :0 without being told so
Date: Fri, 28 Mar 2008 13:39:29 +0100
[Message part 1 (text/plain, inline)]
package rxvt
tag 469296 + patch
thanks

Attached is a patch for rxvt to not use :0 if unset both in rxvt
and in rclock. (The last is no security problem, but just annoying to
have to wait for an error message when it is not set).

Hochachtungsvoll,
	Bernhard R. Link
[diff (text/plain, attachment)]

Tags added: patch Request was from "Bernhard R. Link" <brlink@debian.org> to control@bugs.debian.org. (Fri, 28 Mar 2008 12:42:03 GMT) (full text, mbox, link).


Tags added: pending Request was from Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> to control@bugs.debian.org. (Fri, 11 Apr 2008 00:36:04 GMT) (full text, mbox, link).


Reply sent to Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "Bernhard R. Link" <brlink@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #50 received at 469296-close@bugs.debian.org (full text, mbox, reply):

From: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
To: 469296-close@bugs.debian.org
Subject: Bug#469296: fixed in rxvt 1:2.6.4-13
Date: Fri, 11 Apr 2008 17:03:16 +0000
Source: rxvt
Source-Version: 1:2.6.4-13

We believe that the bug you reported is fixed in the latest version of
rxvt, which is due to be installed in the Debian FTP archive:

rxvt-ml_2.6.4-13_sparc.deb
  to pool/main/r/rxvt/rxvt-ml_2.6.4-13_sparc.deb
rxvt_2.6.4-13.diff.gz
  to pool/main/r/rxvt/rxvt_2.6.4-13.diff.gz
rxvt_2.6.4-13.dsc
  to pool/main/r/rxvt/rxvt_2.6.4-13.dsc
rxvt_2.6.4-13_sparc.deb
  to pool/main/r/rxvt/rxvt_2.6.4-13_sparc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de> (supplier of updated rxvt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 11 Apr 2008 01:36:43 +0200
Source: rxvt
Binary: rxvt rxvt-ml
Architecture: source sparc
Version: 1:2.6.4-13
Distribution: unstable
Urgency: low
Maintainer: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Changed-By: Jan Christoph Nordholz <hesso@pool.math.tu-berlin.de>
Description: 
 rxvt       - VT102 terminal emulator for the X Window System
 rxvt-ml    - multi-lingual VT102 terminal emulator for the X Window System
Closes: 462512 469296
Changes: 
 rxvt (1:2.6.4-13) unstable; urgency=low
 .
   * Include a patch by Wolfgang Pietsch to make rclock's hour hand
     move smoothly.
   * Adjust the menu files to the new policy.
   * Bump Standards version to 3.7.3.
   * Fix NAME manpage sections to please mandb.
   * Intersperse 'make clean' invocations between the builds of the
     several build flavours. Closes: #462512.
   * Do not silently default to display ":0" if DISPLAY is unset.
     Closes: #469296.
   * Add watch file.
Checksums-Sha1: 
 3f195d155a050503e6182efafdb96b057368bfe7 982 rxvt_2.6.4-13.dsc
 ab23198ef0304a6dcd7bca3362877eb6e899f86b 25986 rxvt_2.6.4-13.diff.gz
 babf4fbaad0457c4db02db09f7ba303fe9c391c1 217802 rxvt_2.6.4-13_sparc.deb
 4e32c63cdf408bdaaf2d033d564d5acebcb5c0be 346818 rxvt-ml_2.6.4-13_sparc.deb
Checksums-Sha256: 
 537e54ec92d617cc9e9d07f3b9e56279e585f8163c773fce612b66d660d4dcc3 982 rxvt_2.6.4-13.dsc
 d13a04cdc877ec12497eb689972210f98524e9ab59578a308a0e64a74b9c8c7e 25986 rxvt_2.6.4-13.diff.gz
 90f65b8128bee472441e6d1ad9bfddb50eb3fcc0750d052f7a6b1b008ae7e6df 217802 rxvt_2.6.4-13_sparc.deb
 a97a354a87b97ca83308c837957dec58c36d87a4d277fb357ec8a8144395132d 346818 rxvt-ml_2.6.4-13_sparc.deb
Files: 
 fcc92ad1bd9b15e9a3be92cab9e90c38 982 x11 optional rxvt_2.6.4-13.dsc
 8ae1137e1704b45efed5d64eeb6d7040 25986 x11 optional rxvt_2.6.4-13.diff.gz
 98b2acfad2c477463f9b7bf35149bed1 217802 x11 optional rxvt_2.6.4-13_sparc.deb
 2ab09ff7ec7c32b3d529b85e4020f9c4 346818 x11 optional rxvt-ml_2.6.4-13_sparc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH/5f20fhX0Y/ocz0RAj+oAJ9+E+U4Z/2PBMMkHR5r1kc/NRw6KgCggFFP
T+hVdTEM7hNtYtz91XYDdEg=
=vSFS
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 14 May 2008 07:48:11 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:43:24 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.