Debian Bug report logs - #691642
xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash

version graph

Package: xterm; Maintainer for xterm is Debian X Strike Force <debian-x@lists.debian.org>; Source for xterm is src:xterm.

Reported by: Vincent Lefevre <vincent@vinc17.net>

Date: Sat, 27 Oct 2012 22:09:01 UTC

Severity: normal

Tags: fixed-upstream

Found in version xterm/278-2

Fixed in version xterm/287-1

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Sat, 27 Oct 2012 22:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>. (Sat, 27 Oct 2012 22:09:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sun, 28 Oct 2012 00:07:04 +0200
Package: xterm
Version: 278-2
Severity: grave
Tags: security
Justification: causes non-serious data loss

When cat'ing some binary file, my xterm crashed. I've managed to find
the cause: the mc5 terminfo sequence (prtr_on / turn on printer). The
problem can be reproduced with:

1. Run xterm from another terminal.
2. Run the following command:
     printf "\033[5i"
   or
     tput mc5
   The message "sh: 1: : Permission denied" appears in the first
   terminal.
3. Type [Enter]. This terminates xterm with the exit code 13.

I have the following X resource:

  *printerCommand: ""

The xterm(1) man page says:

  printerCommand (class PrinterCommand)
    Specifies  a shell command to which xterm will open a pipe when
    the first MC (Media Copy) command is initiated.  The default is
    an  empty  string, i.e., “”.  If the resource value is given as
    an empty string, the printer is disabled.

So, it doesn't behave correctly with the empty string!

In addition to possible data loss due to the crash, this is a security
problem, because the sequence may appear in a remote file.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.5-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xterm depends on:
ii  libc6           2.13-36
ii  libfontconfig1  2.9.0-7
ii  libice6         2:1.0.8-2
ii  libtinfo5       5.9-10
ii  libutempter0    1.1.5-4
ii  libx11-6        2:1.5.0-1
ii  libxaw7         2:1.0.10-2
ii  libxft2         2.3.1-1
ii  libxmu6         2:1.1.1-1
ii  libxt6          1:1.1.3-1
ii  xbitmaps        1.1.1-2

Versions of packages xterm recommends:
ii  x11-utils  7.7~1

Versions of packages xterm suggests:
pn  xfonts-cyrillic  <none>

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Sat, 27 Oct 2012 22:39:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sat, 27 Oct 2012 22:39:09 GMT) Full text and rfc822 format available.

Message #10 received at 691642@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Vincent Lefevre <vincent@vinc17.net>, 691642@bugs.debian.org
Cc: 691642-submitter@bugs.debian.org
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sat, 27 Oct 2012 18:34:11 -0400
[Message part 1 (text/plain, inline)]
On Sun, Oct 28, 2012 at 12:07:04AM +0200, Vincent Lefevre wrote:
> Package: xterm
> Version: 278-2
> Severity: grave
> Tags: security
> Justification: causes non-serious data loss
...

> I have the following X resource:
> 
>   *printerCommand: ""
> 
> The xterm(1) man page says:
> 
>   printerCommand (class PrinterCommand)
>     Specifies  a shell command to which xterm will open a pipe when
>     the first MC (Media Copy) command is initiated.  The default is
>     an  empty  string, i.e., ??????.  If the resource value is given as
>     an empty string, the printer is disabled.
> 
> So, it doesn't behave correctly with the empty string!

The documentation is correct; there is an error in your report.
The rules for X resource syntax are different from your expectation.
This is an empty string:

*printerCommand:

This is the two double-quote characters (literally):

*printerCommand: ""

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Message sent on to Vincent Lefevre <vincent@vinc17.net>:
Bug#691642. (Sat, 27 Oct 2012 22:39:13 GMT) Full text and rfc822 format available.

Information stored :
Bug#691642; Package xterm. (Sat, 27 Oct 2012 23:24:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and filed, but not forwarded. (Sat, 27 Oct 2012 23:24:10 GMT) Full text and rfc822 format available.

Message #18 received at 691642-quiet@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: dickey@his.com, 691642-quiet@bugs.debian.org
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sun, 28 Oct 2012 01:21:39 +0200
On 2012-10-27 18:34:11 -0400, Thomas Dickey wrote:
> The documentation is correct; there is an error in your report.
> The rules for X resource syntax are different from your expectation.
> This is an empty string:
> 
> *printerCommand:
> 
> This is the two double-quote characters (literally):
> 
> *printerCommand: ""

It is a bit strange because the " is a special character:

$ echo '*printerCommand: "' | xrdb -merge
<stdin>:1:18: warning: missing terminating " character [enabled by default]

Now, concerning the bug, with the empty string, there are indeed
no effects. But I don't think that xterm should terminate when
there is a problem with the printer command.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)



Information stored :
Bug#691642; Package xterm. (Sat, 27 Oct 2012 23:33:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and filed, but not forwarded. (Sat, 27 Oct 2012 23:33:11 GMT) Full text and rfc822 format available.

Message #23 received at 691642-quiet@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: Vincent Lefevre <vincent@vinc17.net>
Cc: dickey@his.com, 691642-quiet@bugs.debian.org
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sat, 27 Oct 2012 19:30:50 -0400
[Message part 1 (text/plain, inline)]
On Sun, Oct 28, 2012 at 01:21:39AM +0200, Vincent Lefevre wrote:
> On 2012-10-27 18:34:11 -0400, Thomas Dickey wrote:
> > The documentation is correct; there is an error in your report.
> > The rules for X resource syntax are different from your expectation.
> > This is an empty string:
> > 
> > *printerCommand:
> > 
> > This is the two double-quote characters (literally):
> > 
> > *printerCommand: ""
> 
> It is a bit strange because the " is a special character:
> 
> $ echo '*printerCommand: "' | xrdb -merge
> <stdin>:1:18: warning: missing terminating " character [enabled by default]

The warning is coming from xrdb (or the C preprocessor).
It's not coming from xterm or the X libraries.

I would have expected somthing like this:

	$ echo '*printerCommand: ' | xrdb -merge

By the way, the resource is actually set in this instance to a blank,
but xterm trims leading/trailing blanks (to reduce user confusion).

The absence of quoting, and limited escapes are something I can't
fix inside xterm.
 
> Now, concerning the bug, with the empty string, there are indeed
> no effects. But I don't think that xterm should terminate when
> there is a problem with the printer command.

true - but the severity level is "normal" (a problem exposed by
an unusual configuration - not the default as was stated).

I'll investigate to see what the internals are -

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Severity set to 'normal' from 'grave' Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Sun, 28 Oct 2012 00:03:11 GMT) Full text and rfc822 format available.

Removed tag(s) security. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Sun, 28 Oct 2012 00:06:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Sun, 28 Oct 2012 10:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 28 Oct 2012 10:42:03 GMT) Full text and rfc822 format available.

Message #32 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Vincent Lefevre <vincent@vinc17.net>, 691642@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sun, 28 Oct 2012 11:37:58 +0100
Hi,
* Vincent Lefevre <vincent@vinc17.net> [2012-10-28 00:11]:
> When cat'ing some binary file, my xterm crashed. I've managed to find
> the cause: the mc5 terminfo sequence (prtr_on / turn on printer). The
> problem can be reproduced with:
> 
> 1. Run xterm from another terminal.
> 2. Run the following command:
>      printf "\033[5i"
>    or
>      tput mc5
>    The message "sh: 1: : Permission denied" appears in the first
>    terminal.

I can't reproduce this with xterm 278-2 on amd64.
[...] 

> In addition to possible data loss due to the crash, this is a security
> problem, because the sequence may appear in a remote file.

Sorry, I couldn't parse this sentence. What exactly are the security 
implications? So far I don't see how this qualifies for a security bug.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Sun, 28 Oct 2012 10:42:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 28 Oct 2012 10:42:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Sun, 28 Oct 2012 12:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 28 Oct 2012 12:27:03 GMT) Full text and rfc822 format available.

Message #42 received at 691642@bugs.debian.org (full text, mbox):

From: Vincent Lefevre <vincent@vinc17.net>
To: Nico Golde <nion@debian.org>
Cc: 691642@bugs.debian.org
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sun, 28 Oct 2012 13:25:53 +0100
On 2012-10-28 11:37:58 +0100, Nico Golde wrote:
> I can't reproduce this with xterm 278-2 on amd64.

A bug in xrdb introduced a confusion. The problem occurs with
non-default *printerCommand value, e.g. in my case this was:

  xterm -xrm '*printerCommand: ""'

(AFAIK, there was no problem with that in the past, or it solved
a problem under some other condition.)

> > In addition to possible data loss due to the crash, this is a security
> > problem, because the sequence may appear in a remote file.
> 
> Sorry, I couldn't parse this sentence. What exactly are the security 
> implications? So far I don't see how this qualifies for a security bug.

If some external data (because they contain some unexpected byte
sequence) make a local program crash (so that user data are lost),
that's a security bug. Just like when you have a bug in the image
decoder used by your web browser that makes it crash on some image
files.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Sun, 28 Oct 2012 12:39:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Sun, 28 Oct 2012 12:39:05 GMT) Full text and rfc822 format available.

Message #47 received at 691642@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Vincent Lefevre <vincent@vinc17.net>
Cc: 691642@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Sun, 28 Oct 2012 13:34:04 +0100
[Message part 1 (text/plain, inline)]
tags 691642 - security
thanks

Hi,
* Vincent Lefevre <vincent@vinc17.net> [2012-10-28 13:32]:
> On 2012-10-28 11:37:58 +0100, Nico Golde wrote:
[...] 
> > > In addition to possible data loss due to the crash, this is a security
> > > problem, because the sequence may appear in a remote file.
> > 
> > Sorry, I couldn't parse this sentence. What exactly are the security 
> > implications? So far I don't see how this qualifies for a security bug.
> 
> If some external data (because they contain some unexpected byte
> sequence) make a local program crash (so that user data are lost),
> that's a security bug. Just like when you have a bug in the image
> decoder used by your web browser that makes it crash on some image
> files.

That was exactly my point, this is not treated as a security bug in Debian, 
but a regular bug.

Cheers
Nico
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#691642; Package xterm. (Tue, 30 Oct 2012 00:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to dickey@his.com:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. (Tue, 30 Oct 2012 00:36:03 GMT) Full text and rfc822 format available.

Message #52 received at 691642@bugs.debian.org (full text, mbox):

From: Thomas Dickey <dickey@his.com>
To: 691642@bugs.debian.org
Cc: 691642-submitter@bugs.debian.org
Subject: Re: Bug#691642: xterm: outputting the mc5 sequence (prtr_on / turn on printer) makes xterm crash
Date: Mon, 29 Oct 2012 20:31:50 -0400
[Message part 1 (text/plain, inline)]
this is fixed in #286.

-- 
Thomas E. Dickey <dickey@invisible-island.net>
http://invisible-island.net
ftp://invisible-island.net
[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from Thomas Dickey <dickey@his.com> to control@bugs.debian.org. (Tue, 30 Oct 2012 00:36:05 GMT) Full text and rfc822 format available.

Message sent on to Vincent Lefevre <vincent@vinc17.net>:
Bug#691642. (Tue, 30 Oct 2012 00:36:09 GMT) Full text and rfc822 format available.

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Tue, 27 Nov 2012 21:51:22 GMT) Full text and rfc822 format available.

Notification sent to Vincent Lefevre <vincent@vinc17.net>:
Bug acknowledged by developer. (Tue, 27 Nov 2012 21:51:22 GMT) Full text and rfc822 format available.

Message #62 received at 691642-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 691642-close@bugs.debian.org
Subject: Bug#691642: fixed in xterm 287-1
Date: Tue, 27 Nov 2012 21:47:57 +0000
Source: xterm
Source-Version: 287-1

We believe that the bug you reported is fixed in the latest version of
xterm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 691642@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 27 Nov 2012 22:27:28 +0100
Source: xterm
Binary: xterm
Architecture: source amd64
Version: 287-1
Distribution: experimental
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 xterm      - X terminal emulator
Closes: 359006 408666 683942 691642 694375
Changes: 
 xterm (287-1) experimental; urgency=low
 .
   * New upstream release (closes: #694375)
     - add alternateScroll resource and corresponding control sequences which
       modify the scroll-forw and scroll-back actions: when the alternate
       screen is displayed, wheel mouse up/down will send cursor keys (closes:
       #683942)
     - improve rendering for the case when a Unicode character is absent in the
       bold font but present in the normal font by temporarily falling back to
       the normal font (closes: #359006, #408666)
     - check for misconfigured printerCommand resource on the first use, warn
       and disable it if it does not specify an executable command (closes:
       #691642)
   * Drop upstream patches.
   * Refresh remaining patches.
   * Explicitly set --with-desktop-category to avoid desktop-file-install
     failure.
   * Enable backarrowKeyIsErase in configure instead of 900_debian_xterm.diff.
   * Install png/svg icons.
   * Change xterm.man's NAME section to keep whatis(1) happy.
Checksums-Sha1: 
 2e3a950920d5a74b6aaec447454ead50ccda3998 2019 xterm_287-1.dsc
 f1c4bfd11394eaa8158559cea63180fe7cc8d3ed 1103402 xterm_287.orig.tar.gz
 465d898bac50303b06c68dcc9a7453ee74acc9b6 98825 xterm_287-1.diff.gz
 e888c0d5ad201fc4037478fafe07161745c5c560 661918 xterm_287-1_amd64.deb
Checksums-Sha256: 
 f3eb17fceb50a7acb977c36c789812f39319c71b30aa97e7aaf6614cc6cd7d9a 2019 xterm_287-1.dsc
 b5645b5963d01d15f62fb9071f743b58e4d158581f19f411bf14422519363956 1103402 xterm_287.orig.tar.gz
 125172942397e818d450c52f5282777cb6c5d8e47b2dcbdd964991001ff2507e 98825 xterm_287-1.diff.gz
 ce39c08b42cd7b9b61e4ba2037e26fdad8f28039e19ec931f3ed4f03d50070c7 661918 xterm_287-1_amd64.deb
Files: 
 b341950dad30c453b6c12fc968352c7b 2019 x11 optional xterm_287-1.dsc
 0e4385e66d40b5dd6017d02c3db2a4af 1103402 x11 optional xterm_287.orig.tar.gz
 721f7450a36270648a3bd77f1fce6690 98825 x11 optional xterm_287-1.diff.gz
 0515e28e499ccb1f08d6c928cf32c5f9 661918 x11 optional xterm_287-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQtTDSAAoJEDEBgAUJBeQMxtsP/0DCbmOhFELva5OpFJdwQWfW
mqJPHYS83JNNMQXwYS8IPNBcdpWfWGAT6YLdqgWqBcwUNkMx812nOvn/EDJtr6pG
DrsQim0Ysz/9NGSiKGqckuFcmySmOhCuhRjHmg48wk3ER/hTJWijyxUWsaqhsKqQ
lyeUW9Jw+nKpgqtpkGA85WGoPiDZh4O+sPwC1lNmlDiyw4nWAo2LJgmVJb1JugKH
+o/eEYdZinQBc0UiKnyYQmKUlmoJ+C7W+594/GEOVaeQTyAxNhMjmHqBWO1HglDw
WjBtRZk735LLXMFT9LWMXBbvydcnXUGKE9qSEZVWHDbIqBdJNh6lBm6nMJIMLp7S
/P7WheREZlwDqEOCYdkB/6M0FkSPCYZW5GI7/Lu6Gtm3FjMWIbcaOW8nEdBtiZJm
sDzwjzatxSUtL0iaVRPM+trCy4ynFU74nMCQ6XAFWaekY2g1oUaGAVXtofR2I/oi
3IYXpLXl/DmO4zwq+aMCgYzhvHoC2JzZnvrSt+5RYEsGhXEhakbiwI4G4YcRLbXc
YeYWAs07QKj4+IZ3nvIq5YgVqCUAZjpVlBYlkLFd7KsfTpAPi71NS/jB4L6Z7Foj
9jpqs8jtNjM+B7Rvt7ZF6GCP/f1XlFZRpzm1roL0YIdOvx66BVMOCfk1SSyzqsFX
fpj6xMPGzcI/tFfyFHC9
=E32r
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 25 Jun 2013 07:34:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 10:53:12 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.