Bug 478888 (CVE-2008-2383)
Summary: | CVE-2008-2383 xterm: arbitrary command injection | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | bressers, kreilly, mlichvar, pertusus | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2383 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-08 12:44:23 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 478895, 478896, 478897, 478898, 478899, 478954 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Mark J. Cox
2009-01-05 21:08:18 UTC
Created attachment 328245 [details]
Patch extracted from upstream
The version of xterm as shipped in Red Hat Enterprise Linux 2.1 is not affected by this issue. The reason is that in the older xterm version control characters such as \n characters were not allowed in a device control string. When building up the string to pass to do_dcs, xterm uses the sos_table (VTPrsTbl.c) to parse each character. Each valid character is set to CASE_IGNORE. So a trace of a vulnerable (rhel-3) xterm shows: parse 001B -> 5 ansi_table parse 0050 -> 87 esc_table CASE_DCS: Device Control String parse 0024 -> 1 sos_table CASE_IGNORE - Ignore character 24 parse 0071 -> 1 sos_table CASE_IGNORE - Ignore character 71 parse 000D -> 1 sos_table CASE_IGNORE - Ignore character 0D parse 000A -> 1 sos_table ... parse 001B -> 5 sos_table parse 005C -> 90 esc_table CASE_ST: End of String (18 bytes) do_dcs($q bad-command :17) But in the xterm in RHEL-2.1 control characters are not ignored: parse 001B -> 7 ansi_table parse 0050 -> 89 esc_table parse 0024 -> 3 sos_table parse 0071 -> 3 sos_table parse 000D -> 6 sos_table parse 000A -> 8 ansi_table ... That renders this flaw as unexploitable on RHEL-2.1 xterm. Updated xterm packages for Red Hat Enterprise Linux 3, 4, 5 have been built and are currently completing testing. As soon as they have passed they will be pushed to Red Hat Network. Issue was fixed upstream in version 238: http://invisible-island.net/xterm/xterm.log.html#xterm_238 Red Hat Enterprise Linux updates: https://rhn.redhat.com/errata/RHSA-2009-0018.html (xterm) https://rhn.redhat.com/errata/RHSA-2009-0019.html (hanterm-xf) Fedora updates: https://admin.fedoraproject.org/updates/F8/FEDORA-2009-0154 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-0059 https://admin.fedoraproject.org/updates/F10/FEDORA-2009-0091 |