X11 full-screen issues
Jeremy, First, thanks for all your work in 2008. Now here's some for 2009! I have rc-5 with your X11.bin-20081231 installed. My X11 is set for full-screen mode, but is not open. Terminal.app is open in Space 3. I invoke xcalc from Terminal.app. I get an xcalc window on my root screen. Immediately I do cmd-opt-a, and I get to my desktop in Space 3 with X11 as the active app. I click on the X11 dock icon and nothing happens . (I guess I'd expect to see that xcalc and the root screen again.) Click on the Space 3 desktop to activate Finder. Now click once more on the X11 dock icon. Now I see the xcalc on the root screen. Now for a variation. As above for the first three sentences of the paragraph. This time, instead of clicking the X11 dock icon, I switch to another Space, say Space 2. Finder becomes active. I click on the X11 dock icon. My root screen "flashes by" and I end up with that xcalc window in front of a Space three desktop, but without dock or Apple menu bar. I can use the xcalc just fine, but if I click on anything non-X11 the xcalc window vanishes and I'm really in Space 3. Louis
Please file this in a bug report at http://xquartz.macosforge.org On Jan 1, 2009, at 08:00, Zulli, Louis P wrote:
Jeremy,
First, thanks for all your work in 2008. Now here's some for 2009!
I have rc-5 with your X11.bin-20081231 installed. My X11 is set for full-screen mode, but is not open. Terminal.app is open in Space 3.
I invoke xcalc from Terminal.app. I get an xcalc window on my root screen. Immediately I do cmd-opt-a, and I get to my desktop in Space 3 with X11 as the active app. I click on the X11 dock icon and nothing happens . (I guess I'd expect to see that xcalc and the root screen again.) Click on the Space 3 desktop to activate Finder. Now click once more on the X11 dock icon. Now I see the xcalc on the root screen.
Now for a variation. As above for the first three sentences of the paragraph. This time, instead of clicking the X11 dock icon, I switch to another Space, say Space 2. Finder becomes active. I click on the X11 dock icon. My root screen "flashes by" and I end up with that xcalc window in front of a Space three desktop, but without dock or Apple menu bar. I can use the xcalc just fine, but if I click on anything non-X11 the xcalc window vanishes and I'm really in Space 3.
Louis
_______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
Is this being dealt with, or are we all OK anyway? ------------------------------------------------------------------------------------------------- (2) HIGH: xterm Escape Sequence Vulnerability Affected: X.org xterm versions prior to patch #237 Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86). Status: Vendor confirmed, updates available. References: Wikipedia Article on the X Window System http://en.wikipedia.org/wiki/X_Window_System Wikipedia Article on Escape Sequences http://en.wikipedia.org/wiki/Escape_sequence X.org Home Page http://www.x.org SecurityFocus BID http://www.securityfocus.com/bid/33060 ---------------------------------------------------------------------------------------------------
Fri, 2 Jan 2009 (19:04 -0000 UTC) Peter Collinson wrote:
Is this being dealt with, or are we all OK anyway?
% man xterm [...] ENVIRONMENT Xterm sets several environment variables [...] XTERM_VERSION is set to the string displayed by the -version option. That is normally an identifier for the X Window libraries used to build xterm, followed by xterm's patch number in parenthesis. The patch number is also part of the response to a Secondary Device Attributes (DA) control sequence (see Xterm Control Sequences). [...] % echo $XTERM_VERSION XTerm(237) Try it on your machine to see.
------------------------------------------------------------------------------------------------- (2) HIGH: xterm Escape Sequence Vulnerability Affected: X.org xterm versions prior to patch #237
Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86).
Status: Vendor confirmed, updates available.
References: Wikipedia Article on the X Window System http://en.wikipedia.org/wiki/X_Window_System Wikipedia Article on Escape Sequences http://en.wikipedia.org/wiki/Escape_sequence X.org Home Page http://www.x.org SecurityFocus BID http://www.securityfocus.com/bid/33060
--------------------------------------------------------------------------------------------------- _______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
-- Dr. Robert Delius Royar Associate Professor of English Morehead State University Morehead, Kentucky Making meaning one message at a time. Never argue with a man who buys ink by the barrel. -H. L. Mencken 14:30 up 1 day, 7:04, 1 user, load averages: 0.43 0.34 0.23
Just when I was about to push out 2.3.2 ... Thanks, this will be fixed in 2.3.2 with xterm-238 On Jan 2, 2009, at 11:04, Peter Collinson wrote:
Is this being dealt with, or are we all OK anyway? ------------------------------------------------------------------------------------------------- (2) HIGH: xterm Escape Sequence Vulnerability Affected: X.org xterm versions prior to patch #237
Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86).
Status: Vendor confirmed, updates available.
References: Wikipedia Article on the X Window System http://en.wikipedia.org/wiki/X_Window_System Wikipedia Article on Escape Sequences http://en.wikipedia.org/wiki/Escape_sequence X.org Home Page http://www.x.org SecurityFocus BID http://www.securityfocus.com/bid/33060
--------------------------------------------------------------------------------------------------- _______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
Aren't we at #237 already, and thus OK? Affected: X.org xterm versions prior to patch #237 ----- Original Message ----- From: "Jeremy Huddleston" <jeremyhu@berkeley.edu> To: "Developer talk about Xquartz" <xquartz-dev@lists.macosforge.org> Sent: Friday, January 2, 2009 2:45:44 PM GMT -05:00 US/Canada Eastern Subject: Re: [Xquartz-dev] Xterm vulnerability Just when I was about to push out 2.3.2 ... Thanks, this will be fixed in 2.3.2 with xterm-238 On Jan 2, 2009, at 11:04, Peter Collinson wrote:
Is this being dealt with, or are we all OK anyway? ------------------------------------------------------------------------------------------------- (2) HIGH: xterm Escape Sequence Vulnerability Affected: X.org xterm versions prior to patch #237
Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86).
Status: Vendor confirmed, updates available.
References: Wikipedia Article on the X Window System http://en.wikipedia.org/wiki/X_Window_System Wikipedia Article on Escape Sequences http://en.wikipedia.org/wiki/Escape_sequence X.org Home Page http://www.x.org SecurityFocus BID http://www.securityfocus.com/bid/33060
--------------------------------------------------------------------------------------------------- _______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
_______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
We are vulnerable. xterm DECRQSS Remote Command Execution Vulnerability Bugtraq ID: 33060 Class: Input Validation Error CVE: CVE-2008-2383 Remote: Yes Local: No Published: Dec 28 2008 12:00AM Updated: Dec 28 2008 12:00AM Credit: Paul Szabo Vulnerable: X.org xterm patch 237 Not Vulnerable: ----- Original Message ----- From: "Louis P Zulli" <zullil@lafayette.edu> To: "Developer talk about Xquartz" <xquartz-dev@lists.macosforge.org> Sent: Friday, January 2, 2009 2:49:37 PM GMT -05:00 US/Canada Eastern Subject: Re: [Xquartz-dev] Xterm vulnerability Aren't we at #237 already, and thus OK? Affected: X.org xterm versions prior to patch #237 ----- Original Message ----- From: "Jeremy Huddleston" <jeremyhu@berkeley.edu> To: "Developer talk about Xquartz" <xquartz-dev@lists.macosforge.org> Sent: Friday, January 2, 2009 2:45:44 PM GMT -05:00 US/Canada Eastern Subject: Re: [Xquartz-dev] Xterm vulnerability Just when I was about to push out 2.3.2 ... Thanks, this will be fixed in 2.3.2 with xterm-238 On Jan 2, 2009, at 11:04, Peter Collinson wrote:
Is this being dealt with, or are we all OK anyway? ------------------------------------------------------------------------------------------------- (2) HIGH: xterm Escape Sequence Vulnerability Affected: X.org xterm versions prior to patch #237
Description: xterm is the terminal emulator of the X Window System, the standard network-enabled windowing system for Unix and Unix-like platforms. It contains a flaw in its handling of certain escape sequences (sequences of characters that, when read by the terminal, cause it to take action). A specially crafted "DECRQSS Device Control Request Status" escape sequence could trigger this vulnerability, allowing an attacker to execute arbitrary commands with the privileges of the current user. An attacker could exploit this vulnerability by tricking a user into displaying a malicious text file in an xterm window, or sending such characters in a network terminal session (for example, during an SSH or telnet session). Note that this affects the reference implementation of xterm from X.org, and presumably also affects versions of xterm that share that codebase (such as XFree86).
Status: Vendor confirmed, updates available.
References: Wikipedia Article on the X Window System http://en.wikipedia.org/wiki/X_Window_System Wikipedia Article on Escape Sequences http://en.wikipedia.org/wiki/Escape_sequence X.org Home Page http://www.x.org SecurityFocus BID http://www.securityfocus.com/bid/33060
--------------------------------------------------------------------------------------------------- _______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
_______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev _______________________________________________ Xquartz-dev mailing list Xquartz-dev@lists.macosforge.org http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev
participants (5)
-
Jeremy Huddleston
-
Jeremy Huddleston
-
Peter Collinson
-
robert delius royar
-
Zulli, Louis P