Window title, DECRQSS security

Bug #311983 reported by Paul Szabo on 2008-12-28
258
Affects Status Importance Assigned to Milestone
xterm (Ubuntu)
Medium
Kees Cook

Bug Description

Please see
http://bugs.debian.org/510030
for details (noting that Ubuntu is vulnerable to both DECRQSS
and to window title report).

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Kees Cook (kees) on 2009-01-05
Changed in xterm:
assignee: nobody → kees
importance: Undecided → Medium
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xterm - 235-1ubuntu1.1

---------------
xterm (235-1ubuntu1.1) intrepid-security; urgency=low

  * SECURITY UPDATE: command injection via dangerous terminal sequences
    (CVE-2008-2383, LP: #311983).
    - block DECRQSS, font shifting, X property changes, user-defined
      keys. Thanks to Paul Szabo and Florian Weimer.

 -- Kees Cook <email address hidden> Fri, 02 Jan 2009 11:28:08 -0800

Changed in xterm:
status: Fix Committed → Fix Released

xterm can't change it's title any more. Did this fixing this "bug" break this important feature? The screen program is one example of an application where changing the title critical.

Title changes still work with gnome. Only broken with kde. Karmic.

On Sat, 12 Dec 2009, David Sharnoff wrote:

> xterm can't change it's title any more. Did this fixing this "bug"

There is a resource setting that can disable it - perhaps someone set
that. (which version of xterm are we discussing?)

> break this important feature? The screen program is one example of an
> application where changing the title critical.
>
> Title changes still work with gnome. Only broken with kde. Karmic.

I suppose it's possible that xrdb has different data in gnome/kde.
(It's simple enough to check - look at the control-right-mouse entry
for "Enable Title Ops", which must be enabled to allow this feature).

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Paul Szabo (psz-maths) wrote :

>> xterm can't change it's title any more. ...
> ... look at the control-right-mouse entry for "Enable Title Ops" ...

Testing my own karmic machine: the xterm default "Allow Title Ops" is
ticked, "Allow Window Ops" is not ticked. Apparently regardless of
setting, using
  perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
does not set the title; but with "Allow Window Ops" ticked, it echoes
the bad command into the input buffer.

Cheers, Paul

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Thomas Dickey (dickey-his) wrote :

On Sat, 12 Dec 2009, Paul Szabo wrote:

>>> xterm can't change it's title any more. ...
>> ... look at the control-right-mouse entry for "Enable Title Ops" ...
>
> Testing my own karmic machine: the xterm default "Allow Title Ops" is
> ticked, "Allow Window Ops" is not ticked. Apparently regardless of

allowTitleOps doesn't have an effect on retrieving the title.
That's controlled via allowWindowOps:

        allowTitleOps (class AllowTitleOps)
                Specifies whether control sequences that modify the window
                title or icon name should be allowed. The default is "true."

        allowWindowOps (class AllowWindowOps)
                Specifies whether extended window control sequences (as used in
                dtterm) should be allowed. These include several control
                sequences which manipulate the window size or position, as well
                as reporting these values and the title or icon name. Each of
                these can be abused in a script; curiously enough most terminal
                emulators that implement these restrict only a small part of
                the repertoire. For fine-tuning, see disallowedWindowOps. The
                default is "false."

(my recent changes in-filled some empty slots in the dtterm list, but did
not alter the allowTitleOps feature, since that was separate from dtterm).

> setting, using
> perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
> does not set the title; but with "Allow Window Ops" ticked, it echoes
> the bad command into the input buffer.
>
> Cheers, Paul
>
> Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
>
> --
> Window title, DECRQSS security
> https://bugs.launchpad.net/bugs/311983
> You received this bug notification because you are subscribed to xterm
> in ubuntu.
>

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Paul Szabo (psz-maths) wrote :

Dear Thomas,

The "problem" is not with the meanings or descriptions of AllowTitleOps
(though a warning that "setting AllowWindowOps is insecure" is missing).

The problem is that
  perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
should set the title (then maybe retrieve it); but that setting does not
happen on Ubuntu. (The setting works fine on Debian, and there is no
retrieval because Debian sensibly barred that.)

Cheers, Paul

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Thomas Dickey (dickey-his) wrote :

On Sat, 12 Dec 2009, Paul Szabo wrote:

> Dear Thomas,
>
> The "problem" is not with the meanings or descriptions of AllowTitleOps
> (though a warning that "setting AllowWindowOps is insecure" is missing).
>
> The problem is that
> perl -e 'print "\e\]0;;bad-command;\a\e\[21t"'
> should set the title (then maybe retrieve it); but that setting does not
> happen on Ubuntu. (The setting works fine on Debian, and there is no

I understood the problem statement, and suggested one of the
possibilities, which could be checked by anyone who's able to reproduce
the problem. (Another possibility is that he's using patch #243, for
which there was already a fix - but bug reports lacking a version number
for xterm don't have enough information to do more than speculate).

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

Sorry, I'm using 243-1ubuntu1 -- the current version in Karmic.

Thomas Dickey (dickey-his) wrote :

On Sat, 12 Dec 2009, David Sharnoff wrote:

> Sorry, I'm using 243-1ubuntu1 -- the current version in Karmic.

thanks (I don't have Ubuntu, so I need information to fill in between
upstream source and the package details).

--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers