Re: request CVE id: insecure handling of DISPLAY in rxvt

[Matthieu Herrb <matthieu.herrb () laas fr>]

Nico Golde wrote:
> Hi all,
> Steve, can I get a CVE id for the following issue in rxvt?
>
> "If the DISPLAY environment is not set, rxvt opens an xterm 
> on :0, which on some headless login-server means anyone can setup 
> an fake X server waiting for someone loggin in without X 
> forwarding to start rxvt by some mistake or by some program (thus 
> without even noticing) and getting full shell access to that other 
> account."
>
> This is Debian bug 469296[0].
>
> It should be a good idea to check other terminal emulators 
> as well.
>
> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296

I don't understand how that's an issue with rxvt. If you "fix" the 
terminal emulator not to that, yo can still run rxvt -display :0 or env 
DISPLAY=:0 rxvt.

But then  I also don't understant what you mean by "setup an fake X 
server waiting for someone loggin in..."

Could you describe the attack scenario in  a bit more details?
--
Matthieu Herrb

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature