Just when I was about to push out 2.3.2 ... Thanks, this will be fixed in 2.3.2 with xterm-238 On Jan 2, 2009, at 11:04, Peter Collinson wrote:
Is this being dealt with, or are we all OK anyway? ------------------------------------------------------------------------------------------------- (2) HIGH: xterm Escape Sequence Vulnerability Affected: X.org xterm versions prior to patch #237
Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86).
Status: Vendor confirmed, updates available.
References: Wikipedia Article on the X Window System http://en.wikipedia.org/wiki/X_Window_System Wikipedia Article on Escape Sequences http://en.wikipedia.org/wiki/Escape_sequence X.org Home Page http://www.x.org SecurityFocus BID http://www.securityfocus.com/bid/33060
--------------------------------------------------------------------------------------------------- _______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev