oss-sec mailing list archives
Re: request CVE id: insecure handling of DISPLAY in rxvt
From: Robert Buchholz <rbu () gentoo org>
Date: Thu, 27 Mar 2008 03:03:22 +0100
On Tuesday 04 March 2008, Nico Golde wrote:
It should be a good idea to check other terminal emulators as well.
The same issue also exists in: aterm, tested 1.0.1 eterm, tested 0.9.4 mrxvt, tested 0.5.3 multi-aterm, tested 0.2.1 rxvt-unicode, tested 8.3 and 8.9 wterm, tested with 6.2.9 This is almost half of the terminal emulators I tried. There are probably tons of other X applications doing this, not all with the impact of a shell, but many allow starting other programs one way or another. Reading the attack vector, I would consider it a vulnerability, but looking at the amount of programs that fall into this category, I'm worried how many programs do this and if the low impact is really worth fixing all of them. Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- request CVE id: insecure handling of DISPLAY in rxvt Nico Golde (Mar 04)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Steven M. Christey (Mar 04)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Steve Kemp (Mar 04)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Tomas Hoger (Mar 05)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Steve Kemp (Mar 05)
- wiki: Debian, auditing tools, vendor-sec Solar Designer (Mar 05)
- Re: wiki: Debian, auditing tools, vendor-sec Steve Kemp (Mar 05)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Steve Kemp (Mar 04)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Nico Golde (Mar 05)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Steven M. Christey (Mar 04)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Nico Golde (Mar 05)
- Re: request CVE id: insecure handling of DISPLAY in rxvt Bernhard R. Link (Mar 28)