oss-sec mailing list archives
Re: Re: Debian / xterm #779397
From: Marcus Meissner <meissner () suse de>
Date: Tue, 3 Mar 2015 12:45:50 +0100
On Tue, Mar 03, 2015 at 10:06:30AM +0000, Simon McVittie wrote:
On 03/03/15 09:19, Thomas Dickey wrote:| From: "Kurt Seifried" <kseifried () redhat com> | | $ xterm -S/dev/pts/20 | *** buffer overflow detected ***: /usr/bin/xterm terminated | | Did this get a CVE? I don't see a DSA for xterm. no - someone mentioned the problem in an email - nothing more was saidThere's some discussion on the Debian bug about whether this should be considered to be a security vulnerability, or just a bug. Not every buffer overflow is a vulnerability: it can only be a vulnerability if an attacker can trigger it. Is there any reason why it would be useful/sensible to pass untrusted (pseudo-terminal filename, fd) pairs to the -S option? It seems to me that if you're passing partially or entirely attacker-controlled filenames to this option, you have probably already lost.
In modern times xterm should not be setuid root, but there might be legacy systems where it is. On Linux with /dev/pts and utempter it should not be necessary anymore for 10+ years. Ciao, Marcus
Current thread:
- Debian / xterm #779397 Kurt Seifried (Mar 02)
- Re: Debian / xterm #779397 Thomas Dickey (Mar 03)
- Re: Re: Debian / xterm #779397 Simon McVittie (Mar 03)
- Re: Re: Debian / xterm #779397 Marcus Meissner (Mar 03)
- Re: Re: Debian / xterm #779397 Stephane Chazelas (Mar 03)
- Re: Re: Debian / xterm #779397 Simon McVittie (Mar 03)
- Re: Debian / xterm #779397 Thomas Dickey (Mar 03)