A security issue has been reported in Eterm, which can be exploited by malicious, local users to gain escalated privileges. For more information: SA29576 The security issue is reported in version 0.9.4. Other versions may also be affected. Solution: Do not run Eterm on untrusted systems. Restrict local access to trusted users only. Provided and/or discovered by: Reported in a Debian bug report by Bernhard R. Link.
There's a patch here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473127 As I wrote here, this affects a lot of shells besides aterm and rxvt (which we do not have a bug for yet): http://thread.gmane.org/gmane.comp.security.oss.general/107/focus=173
i dont think you want the term "terminals", not "shells" but along those lines, it isnt just a terminal issue ... many many applications will attempt :0 if nothing else is set
true, we're talking terminals here, not shells. The reason it is dangerous in terminals (as opposed to other X11 applications) is that they allow you to execute code directly, whereas if someone captures your "gimp" for instance, getting it to start a shell for you is hard. There's a patch for eterm here: http://people.debian.org/~nion/nmu-diff/eterm-0.9.4.0debian1-2_0.9.4.0debian1-2.1.patch Since these bugs need fixing all over the place, we need bugs for every affected package.
considering gimp can trivially overwrite arbitrary files via its save interface, i'd say that's just as bad as a shell when it comes to security.
ive committed the fix in question in upstream eterm cvs as well as added it to eterm-0.9.4-r1
Arches please test and mark stable x11-terms/eterm-0.9.4-r1 target "alpha amd64 arm hppa ia64 ~mips ppc ppc64 release sh sparc x86 ~x86-fbsd" not sure about the real impact, but secunia mentions privileges escalation, so...
===AMD64 AT REPORT=== *Installation [OK] using the following USE flags. [ebuild N ] x11-terms/eterm-0.9.4-r1 USE="sse2 unicode -escreen -etwin -minimal (-mmx)" 2,636 kB *No src_test *Documentation: Man pages work ok. *Functionality: [OK] --Note: Tested on Xnest with metacity.-- Change background using tiled and scaled images [OK] Change Font [OK] Execute commands [OK] Toggle transparency [FAIL] gives a error about Eterm not able to locate desktop window, this is related to Xnest I think, so it's not a problem. Toggle Reverse Video [OK] Toggle Cursor visible [OK] Eterm -> new Eterm window [OK] Version [OK] Status [OK] Save user and theme settings [OK] emerge --info: Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r4 x86_64) ================================================================= System uname: 2.6.24-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3200+ Timestamp of tree: Sun, 20 Apr 2008 11:30:01 +0000 app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en es" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow X a52 acl acpi alsa amd64 berkdb bzip2 cairo cdr cli cracklib crypt dbus dga dri dvdr ffmpeg flac gdbm glitz gmp gnome gpm gtk hal iconv ipv6 isdnlog ithreads jpeg lcms libnotify mad midi mmx mp3 mudflap ncurses network nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline reflection sdl session spell spl sse sse2 ssl startup-notification svg tcpd theora threads tiff truetype unicode v4l vorbis x264 xcomposite xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en es" USERLAND="GNU" VIDEO_CARDS="nvidia none" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
amd64/x86 stable, thanks for the test Víctor.
ppc64 stable
alpha/ia64/sparc stable
Stable for HPPA.
ppc stable
Fixed in release snapshot.
GLSA request filed.
I'll set this back to B3 because the "privilege escalation" means that when you open the terminal in someone else's X server, the attacker can execute code with your privileges.
GLSA 200805-03
