Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 216833 (CVE-2008-1692) - x11-terms/eterm < 0.9.4-r1 Display Security Issue (CVE-2008-1692)
Summary: x11-terms/eterm < 0.9.4-r1 Display Security Issue (CVE-2008-1692)
Alias: CVE-2008-1692
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2008-04-08 07:38 UTC by Lars Hartmann
Modified: 2008-05-07 18:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-04-08 07:38:09 UTC
A security issue has been reported in Eterm, which can be exploited by malicious, local users to gain escalated privileges.

For more information:

The security issue is reported in version 0.9.4. Other versions may also be affected.

Do not run Eterm on untrusted systems.

Restrict local access to trusted users only.

Provided and/or discovered by:
Reported in a Debian bug report by Bernhard R. Link.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-08 09:01:51 UTC
There's a patch here:

As I wrote here, this affects a lot of shells besides aterm and rxvt (which we do not have a bug for yet):
Comment 2 SpanKY gentoo-dev 2008-04-08 17:31:53 UTC
i dont think you want the term "terminals", not "shells"

but along those lines, it isnt just a terminal issue ... many many applications will attempt :0 if nothing else is set
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 23:34:07 UTC
true, we're talking terminals here, not shells. The reason it is dangerous in terminals (as opposed to other X11 applications) is that they allow you to execute code directly, whereas if someone captures your "gimp" for instance, getting it to start a shell for you is hard.

There's a patch for eterm here:

Since these bugs need fixing all over the place, we need bugs for every affected package. 
Comment 4 SpanKY gentoo-dev 2008-04-16 03:14:01 UTC
considering gimp can trivially overwrite arbitrary files via its save interface, i'd say that's just as bad as a shell when it comes to security.
Comment 5 SpanKY gentoo-dev 2008-04-16 03:26:33 UTC
ive committed the fix in question in upstream eterm cvs as well as added it to eterm-0.9.4-r1
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-26 16:38:32 UTC
Arches please test and mark stable x11-terms/eterm-0.9.4-r1
target "alpha amd64 arm hppa ia64 ~mips ppc ppc64 release sh sparc x86 ~x86-fbsd"

not sure about the real impact, but secunia mentions privileges escalation, so... 
Comment 7 Víctor Enríquez 2008-04-26 18:07:57 UTC

*Installation [OK] using the following USE flags.
[ebuild  N    ] x11-terms/eterm-0.9.4-r1  USE="sse2 unicode -escreen -etwin -minimal (-mmx)" 2,636 kB 
*No src_test
*Documentation: Man pages work ok.
*Functionality: [OK]
--Note: Tested on Xnest with metacity.--
Change background using tiled and scaled images [OK]
Change Font [OK]
Execute commands [OK]
Toggle transparency [FAIL] gives a error about Eterm not able to locate desktop window, this is related to Xnest I think, so it's not a problem. 
Toggle Reverse Video [OK]
Toggle Cursor visible [OK]
Eterm -> new Eterm window [OK]
Version [OK]
Status [OK]
Save user and theme settings [OK]

emerge --info: 
Portage (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r4 x86_64)
System uname: 2.6.24-gentoo-r4 x86_64 AMD Athlon(tm) 64 Processor 3200+
Timestamp of tree: Sun, 20 Apr 2008 11:30:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-march=k8 -O2 -pipe"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=k8 -O2 -pipe"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
LINGUAS="en es"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="3dnow X a52 acl acpi alsa amd64 berkdb bzip2 cairo cdr cli cracklib crypt dbus dga dri dvdr ffmpeg flac gdbm glitz gmp gnome gpm gtk hal iconv ipv6 isdnlog ithreads jpeg lcms libnotify mad midi mmx mp3 mudflap ncurses network nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline reflection sdl session spell spl sse sse2 ssl startup-notification svg tcpd theora threads tiff truetype unicode v4l vorbis x264 xcomposite xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en es" USERLAND="GNU" VIDEO_CARDS="nvidia none"
Comment 8 Markus Meier gentoo-dev 2008-04-26 20:29:43 UTC
amd64/x86 stable, thanks for the test Víctor.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-04-27 08:31:50 UTC
ppc64 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-04-27 16:15:45 UTC
alpha/ia64/sparc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-27 20:26:33 UTC
Stable for HPPA.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-28 17:10:18 UTC
ppc stable
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-04-29 05:52:38 UTC
Fixed in release snapshot.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-04-29 13:00:36 UTC
GLSA request filed.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-04-29 17:52:21 UTC
I'll set this back to B3 because the "privilege escalation" means that when you open the terminal in someone else's X server, the attacker can execute code with your privileges.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-07 18:59:29 UTC
GLSA 200805-03