Debian Bug report logs -
#473127
eterm: opens window on unspecified display
Reported by: "Bernhard R. Link" <brlink@debian.org>
Date: Fri, 28 Mar 2008 14:03:01 UTC
Severity: important
Tags: patch, security
Found in version eterm/0.9.4.0debian1-2
Fixed in version eterm/0.9.4.0debian1-2.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#473127; Package eterm.
(full text, mbox, link).
Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane).
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: eterm
Version: 0.9.4.0debian1-2
Severity: important
Tags: security patch
When no -display is given and DISPLAY is not set, Eterm tries :0.
That is both a security issue on multi-user systems (see
http://article.gmane.org/gmane.comp.security.oss.general/122
for the description of an attack vector) and otherwise still annoying
as it causes the error message to be delayed quite a bit.
Hochachtungsvoll,
Bernhard R. Link
[eterm-diff (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#473127; Package eterm.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(full text, mbox, link).
Message #10 received at 473127@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Bernhard, could uou do an NMU here? It seems like the
maintainer is unavailable.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Message sent on to "Bernhard R. Link" <brlink@debian.org>:
Bug#473127.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#473127; Package eterm.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(full text, mbox, link).
Message #18 received at 473127@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
as far as I can see your patch is wrong cause it completely
removes the usage of the DISPLAY variable.
Attached is a correct patch I will upload as NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/eterm-0.9.4.0debian1-2_0.9.4.0debian1-2.1.patch
BTW the -display option seems to be broken anyway, Eterm -display :0.0
doesn't work while DISPLAY=:0.0 Eterm does fine. I will not
analyze this in more detail as it was broken before too.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[eterm-0.9.4.0debian1-2_0.9.4.0debian1-2.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Bernhard R. Link" <brlink@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #23 received at 473127-close@bugs.debian.org (full text, mbox, reply):
Source: eterm
Source-Version: 0.9.4.0debian1-2.1
We believe that the bug you reported is fixed in the latest version of
eterm, which is due to be installed in the Debian FTP archive:
eterm_0.9.4.0debian1-2.1.diff.gz
to pool/main/e/eterm/eterm_0.9.4.0debian1-2.1.diff.gz
eterm_0.9.4.0debian1-2.1.dsc
to pool/main/e/eterm/eterm_0.9.4.0debian1-2.1.dsc
eterm_0.9.4.0debian1-2.1_amd64.deb
to pool/main/e/eterm/eterm_0.9.4.0debian1-2.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 473127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated eterm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Apr 2008 19:15:59 +0200
Source: eterm
Binary: eterm
Architecture: source amd64
Version: 0.9.4.0debian1-2.1
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <ljlane@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
eterm - Enlightened Terminal Emulator
Closes: 473127
Changes:
eterm (0.9.4.0debian1-2.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix opening the terminal on display :0 if no DISPLAY environment
variable is specified to prevent local attackers from highjacking
X11 connections in certain environments (CVE-2008-1692; Closes: #473127)
Checksums-Sha1:
7a43a0e32040e18113635ada58064ae77bdfd3cf 1136 eterm_0.9.4.0debian1-2.1.dsc
7fe44b7626d9985f66d85a42bb3ec347d2e5ae6f 11382 eterm_0.9.4.0debian1-2.1.diff.gz
c8a42053f44ec14e735adc0d4719cdf3e8b63678 454846 eterm_0.9.4.0debian1-2.1_amd64.deb
Checksums-Sha256:
714a638404b51743d1c1a99353173ef154e5b368c862f5347a1bf6739aadee5f 1136 eterm_0.9.4.0debian1-2.1.dsc
1ca25f90c14fadfc8667e66929a36669383672ef8cdf3961c2422b1017506623 11382 eterm_0.9.4.0debian1-2.1.diff.gz
9cd696aeb26316916714c5a49f6506d6bdc330c8df775969a2ab59fc01e97101 454846 eterm_0.9.4.0debian1-2.1_amd64.deb
Files:
a8869a72dd462d7abb798d12e5177d71 1136 x11 optional eterm_0.9.4.0debian1-2.1.dsc
2dff444585f99a92dddad809f1786a3c 11382 x11 optional eterm_0.9.4.0debian1-2.1.diff.gz
5d14416e6bb5caecbd0aec3efd44519b 454846 x11 optional eterm_0.9.4.0debian1-2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIBOYuHYflSXNkfP8RAifYAJ9ZIm2XuZrIXjE+GiHknfTlLtGjHwCdGJLK
k+7kqNOK//BRIIL2Ys65XCc=
=R37E
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Jun 2008 07:32:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:16:29 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon