Re: request CVE id: insecure handling of DISPLAY in rxvt

[Nico Golde <oss-security+ml () ngolde de>]

Hi Matthieu,
* Matthieu Herrb <matthieu.herrb () laas fr> [2008-03-05 12:54]:
> Nico Golde wrote:
> > Steve, can I get a CVE id for the following issue in rxvt?
> > "If the DISPLAY environment is not set, rxvt opens an xterm on :0, which on 
> > some headless login-server means anyone can setup an fake X server waiting for 
> > someone loggin in without X forwarding to start rxvt by some mistake or by 
> > some program (thus without even noticing) and getting full shell access to 
> > that other account."
> > This is Debian bug 469296[0].
> > It should be a good idea to check other terminal emulators as well.
> > [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296
>
> I don't understand how that's an issue with rxvt. If you "fix" the terminal 
> emulator not to that, yo can still run rxvt -display :0 or env DISPLAY=:0 rxvt.

Sure but what's your point? It still looks different to me 
if the user is forced to enable that or if it's done in the 
background without him noticing it.

> But then  I also don't understant what you mean by "setup an fake X server 
> waiting for someone loggin in..."

He basically meant starting an X server on :0.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: