478888 – (CVE-2008-2383) CVE-2008-2383 xterm: arbitrary command injection

Bug 478888 (CVE-2008-2383) - CVE-2008-2383 xterm: arbitrary command injection

Summary: CVE-2008-2383 xterm: arbitrary command injection

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-2383
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:	478895 478896 478897 478898 478899 478954
Blocks:
TreeView+	depends on / blocked

Reported:	2009-01-05 21:08 UTC by Mark J. Cox
Modified:	2019-09-29 12:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-01-08 12:44:23 UTC
Embargoed:

Attachments	(Terms of Use)
Patch extracted from upstream (1.62 KB, patch) 2009-01-06 02:14 UTC, Josh Bressers	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:0018	0	normal	SHIPPED_LIVE	Important: xterm security update	2009-01-07 11:09:39 UTC
Red Hat Product Errata	RHSA-2009:0019	0	normal	SHIPPED_LIVE	Important: hanterm-xf security update	2009-01-07 13:42:50 UTC

Description Mark J. Cox 2009-01-05 21:08:18 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2383 to the following vulnerability:

CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.

This issue affects xterm as shipped with Red Hat Enterprise Linux 3, 4, and 5.

Comment 4 Josh Bressers 2009-01-06 02:14:48 UTC

Created attachment 328245 [details]
Patch extracted from upstream

Comment 7 Mark J. Cox 2009-01-06 10:23:08 UTC

The version of xterm as shipped in Red Hat Enterprise Linux 2.1 is not affected by this issue.

The reason is that in the older xterm version control characters such as \n characters were not allowed in a device control string.  When building up the string to pass to do_dcs, xterm uses the sos_table (VTPrsTbl.c) to parse each character.  Each valid character is set to CASE_IGNORE.  So a trace of a vulnerable (rhel-3) xterm shows:

parse 001B -> 5 ansi_table
parse 0050 -> 87 esc_table
CASE_DCS: Device Control String
parse 0024 -> 1 sos_table
CASE_IGNORE - Ignore character 24
parse 0071 -> 1 sos_table
CASE_IGNORE - Ignore character 71
parse 000D -> 1 sos_table
CASE_IGNORE - Ignore character 0D
parse 000A -> 1 sos_table
...
parse 001B -> 5 sos_table
parse 005C -> 90 esc_table
CASE_ST: End of String (18 bytes)
do_dcs($q
bad-command
:17)

But in the xterm in RHEL-2.1 control characters are not ignored:

parse 001B -> 7 ansi_table
parse 0050 -> 89 esc_table
parse 0024 -> 3 sos_table
parse 0071 -> 3 sos_table
parse 000D -> 6 sos_table
parse 000A -> 8 ansi_table
...

That renders this flaw as unexploitable on RHEL-2.1 xterm.

Comment 9 Mark J. Cox 2009-01-06 15:03:15 UTC

Updated xterm packages for Red Hat Enterprise Linux 3, 4, 5 have been built and are currently completing testing.  As soon as they have passed they will be pushed to Red Hat Network.

Comment 11 Tomas Hoger 2009-01-08 12:44:23 UTC

Issue was fixed upstream in version 238:
  http://invisible-island.net/xterm/xterm.log.html#xterm_238

Red Hat Enterprise Linux updates:
  https://rhn.redhat.com/errata/RHSA-2009-0018.html (xterm)
  https://rhn.redhat.com/errata/RHSA-2009-0019.html (hanterm-xf)

Fedora updates:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2009-0154
  https://admin.fedoraproject.org/updates/F9/FEDORA-2009-0059
  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-0091

Note You need to log in before you can comment on or make changes to this bug.