[Xquartz-dev] Xterm vulnerability

Jeremy Huddleston jeremyhu at berkeley.edu
Fri Jan 2 11:45:44 PST 2009


Just when I was about to push out 2.3.2 ...

Thanks, this will be fixed in 2.3.2 with xterm-238


On Jan 2, 2009, at 11:04, Peter Collinson wrote:

> Is this being dealt with, or are we all OK anyway?
> -------------------------------------------------------------------------------------------------
> (2) HIGH: xterm Escape Sequence Vulnerability
> Affected:
> X.org xterm versions prior to patch #237
>
> Description: xterm is the terminal emulator of the X Window System,
> the standard network-enabled windowing system for Unix and Unix-like
> platforms. It contains a flaw in its handling of certain escape
> sequences (sequences of characters that, when read by the terminal,
> cause it to take action). A specially crafted "DECRQSS Device Control
> Request Status" escape sequence could trigger this vulnerability,
> allowing an attacker to execute arbitrary commands with the privileges
> of the current user. An attacker could exploit this vulnerability by
> tricking a user into displaying a malicious text file in an xterm
> window, or sending such characters in a network terminal session
> (for example, during an SSH or telnet session). Note that this affects
> the reference implementation of xterm from X.org, and presumably also
> affects versions of xterm that share that codebase (such as XFree86).
>
> Status: Vendor confirmed, updates available.
>
> References:
> Wikipedia Article on the X Window System
> http://en.wikipedia.org/wiki/X_Window_System
> Wikipedia Article on Escape Sequences
> http://en.wikipedia.org/wiki/Escape_sequence
> X.org Home Page
> http://www.x.org
> SecurityFocus BID
> http://www.securityfocus.com/bid/33060
>
> ---------------------------------------------------------------------------------------------------
> _______________________________________________
> Xquartz-dev mailing list
> Xquartz-dev at lists.macosforge.org
> http://lists.macosforge.org/mailman/listinfo.cgi/xquartz-dev



More information about the Xquartz-dev mailing list