Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 253155
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Bruno Buss <bruno.buss@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 253155 depends on: Show dependency tree
Bug 253155 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-12-30 16:41 0000 
Description:
"A vulnerability has been discovered in xterm, which can be exploited by
malicious people to compromise a user's system.

The vulnerability is caused due to xterm not properly processing the DECRQSS
Device Control Request Status String escape sequence. This can be exploited to
inject and execute arbitrary shell commands by e.g. tricking a user into
displaying a malicious text file containing a specially crafted escape sequence
via the "more" command in xterm."

There is a thread in debian ml
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030) that contains a fix:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=misc.c.patch;att=1;bug=510030

------- Comment #1 From Bruno Buss 2009-01-08 12:56:44 0000 ------- 
Xterm 238 released:
http://invisible-island.net/xterm/xterm.log.html#xterm_238

We need a version bump here to fix the bug.

------- Comment #2 From Donnie Berkholz 2009-01-19 04:51:00 0000 ------- 
239 is in the tree.

------- Comment #3 From Robert Buchholz 2009-01-19 10:50:07 0000 ------- 
Arches, please test and mark stable:
=x11-terms/xterm-239
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

------- Comment #4 From Jeroen Roovers 2009-01-19 12:32:42 0000 ------- 
Stable for HPPA.

------- Comment #5 From Ferris McCormick 2009-01-19 13:22:43 0000 ------- 
Sparc stable.

------- Comment #6 From Brent Baude 2009-01-19 16:11:07 0000 ------- 
ppc64 done

------- Comment #7 From Raúl Porcel 2009-01-20 10:35:46 0000 ------- 
alpha/arm/ia64/s390/sh/x86 stable

------- Comment #8 From Markus Meier 2009-01-21 22:17:49 0000 ------- 
amd64 stable

------- Comment #9 From Tobias Scherbaum 2009-01-24 18:36:55 0000 ------- 
ppc stable

------- Comment #10 From Tobias Heinlein 2009-01-28 00:32:47 0000 ------- 
GLSA request filed.

------- Comment #11 From Pierre-Yves Rofes 2009-02-12 22:02:11 0000 ------- 
GLSA 200902-04
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug