Red Hat Bugzilla – Bug 441458
CVE-2008-1692 eterm: unsafe defaulting to using :0 when DISPLAY is unset
Last modified: 2008-11-16 04:48:21 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1692 to the following vulnerability:
Eterm 0.9.4 opens an xterm on :0 if -display is not specified and the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections.
Confirmed on eterm-0.9.4-8.fc8
This issue is generally considered to have a very low security impact. See
discussion on the oss-security mailing list.
It may still be worth changing /removing this unsafe default behavior in Rawhide
for future versions of Fedora.
Possible patch attached in Debian bug report.
Thanks for the report!
Build available in koji:
Will be included in F9 proper or as update.
An update release to fix bug # 467553 also fixed this issue for all active
releases: F8, F9 and F10.
What's the policy, can I close this ticket or should Security Response Team
verify and possibly close it?
Upstream seems to have fixed this in 0.95, so fixed upstream version went to stable Fedora even before bug #467553, via:
Just a note, -2 is not in F10 yet, but it does not really matter with respect to this bug, as -1 already is. Hence closing this.