Bugzilla Bug 216833

A security issue has been reported in Eterm, which can be exploited by
malicious, local users to gain escalated privileges.

For more information:
SA29576

The security issue is reported in version 0.9.4. Other versions may also be
affected.

Solution:
Do not run Eterm on untrusted systems.

Restrict local access to trusted users only.

Provided and/or discovered by:
Reported in a Debian bug report by Bernhard R. Link.

There's a patch here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473127

As I wrote here, this affects a lot of shells besides aterm and rxvt (which we
do not have a bug for yet):
http://thread.gmane.org/gmane.comp.security.oss.general/107/focus=173

i dont think you want the term "terminals", not "shells"

but along those lines, it isnt just a terminal issue ... many many applications
will attempt :0 if nothing else is set

true, we're talking terminals here, not shells. The reason it is dangerous in
terminals (as opposed to other X11 applications) is that they allow you to
execute code directly, whereas if someone captures your "gimp" for instance,
getting it to start a shell for you is hard.

There's a patch for eterm here:
http://people.debian.org/~nion/nmu-diff/eterm-0.9.4.0debian1-2_0.9.4.0debian1-2.1.patch

Since these bugs need fixing all over the place, we need bugs for every
affected package. 

considering gimp can trivially overwrite arbitrary files via its save
interface, i'd say that's just as bad as a shell when it comes to security.

ive committed the fix in question in upstream eterm cvs as well as added it to
eterm-0.9.4-r1

Arches please test and mark stable x11-terms/eterm-0.9.4-r1
target "alpha amd64 arm hppa ia64 ~mips ppc ppc64 release sh sparc x86
~x86-fbsd"

not sure about the real impact, but secunia mentions privileges escalation,
so... 

===AMD64 AT REPORT===

*Installation [OK] using the following USE flags.
[ebuild  N    ] x11-terms/eterm-0.9.4-r1  USE="sse2 unicode -escreen -etwin
-minimal (-mmx)" 2,636 kB 
*No src_test
*Documentation: Man pages work ok.
*Functionality: [OK]
--Note: Tested on Xnest with metacity.--
Change background using tiled and scaled images [OK]
Change Font [OK]
Execute commands [OK]
Toggle transparency [FAIL] gives a error about Eterm not able to locate desktop
window, this is related to Xnest I think, so it's not a problem. 
Toggle Reverse Video [OK]
Toggle Cursor visible [OK]
Eterm -> new Eterm window [OK]
Version [OK]
Status [OK]
Save user and theme settings [OK]

emerge --info: 
Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.24-gentoo-r4 x86_64)
=================================================================
System uname: 2.6.24-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3200+
Timestamp of tree: Sun, 20 Apr 2008 11:30:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf
/etc/gentoo-release /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/udev/rules.d"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en es"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X a52 acl acpi alsa amd64 berkdb bzip2 cairo cdr cli cracklib crypt
dbus dga dri dvdr ffmpeg flac gdbm glitz gmp gnome gpm gtk hal iconv ipv6
isdnlog ithreads jpeg lcms libnotify mad midi mmx mp3 mudflap ncurses network
nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline
reflection sdl session spell spl sse sse2 ssl startup-notification svg tcpd
theora threads tiff truetype unicode v4l vorbis x264 xcomposite xorg
xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="emu10k1"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en es" USERLAND="GNU" VIDEO_CARDS="nvidia none"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

amd64/x86 stable, thanks for the test Víctor.

ppc64 stable

alpha/ia64/sparc stable

Stable for HPPA.

ppc stable

Fixed in release snapshot.

GLSA request filed.

I'll set this back to B3 because the "privilege escalation" means that when you
open the terminal in someone else's X server, the attacker can execute code
with your privileges.

GLSA 200805-03