219762 – x11-terms/wterm < 6.2.9-r3 X11 Display Security Issue (CVE-2008-1142)

Bug 219762 - x11-terms/wterm < 6.2.9-r3 X11 Display Security Issue (CVE-2008-1142)

Summary: x11-terms/wterm < 6.2.9-r3 X11 Display Security Issue (CVE-2008-1142)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/29576
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-04-29 19:51 UTC by Matt Fleming (RETIRED)
Modified:	2008-05-07 18:59 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Fleming (RETIRED) gentoo-dev

2008-04-29 19:51:40 UTC

wterm is vulnerable to the same X11 Display issue as rxvt,

"The security issue is caused due to the program using ":0" as it's X11 display
if the DISPLAY environment variable is missing. This can be exploited to
execute arbitrary commands with the privileges of the user running rxvt via a
malicious X server."

rxvt bug #217819

Comment 1 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-03 13:44:34 UTC

Patch committed.

Arches, please test and mark stable:
=x11-terms/wterm-6.2.9-r3
Target keywords : "ppc release sparc x86"

Comment 2 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-03 15:48:27 UTC

x86 stable

Comment 3 Raúl Porcel (RETIRED) gentoo-dev

2008-05-05 13:21:21 UTC

sparc stable

Comment 4 Brent Baude (RETIRED) gentoo-dev

2008-05-05 14:18:49 UTC

ppc stable

Comment 5 Peter Volkov (RETIRED) gentoo-dev

2008-05-05 19:21:54 UTC

Fixed in release snapshot.

Comment 6 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-07 18:59:49 UTC

GLSA 200805-03