Bug 479000 - CVE-2008-2383 xterm: arbitrary command injection
CVE-2008-2383 xterm: arbitrary command injection
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: xterm (Show other bugs)
10
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Miroslav Lichvar
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-06 07:53 EST by Christoph Höger
Modified: 2009-01-07 04:24 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-07 04:12:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Christoph Höger 2009-01-06 07:53:33 EST
Description of problem:
xterm has a security hole that allows attackes to modify files that are displayed in xterm in a way that causes xterm to execute arbitrary commands

Version-Release number of selected component (if applicable):
xterm-237-1.fc10.i386

How reproducible:
always

Steps to Reproduce:
1.  open xterm
2.  perl -e 'print "\eP\$q\nwhoami\n\e\\"' > bla.log
3.  cat bla.log

  
Actual results:
whoami is executed

Expected results:
that should not happen

Additional info:
see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030
there seems to be a patch
Comment 1 Fedora Update System 2009-01-06 09:35:18 EST
xterm-238-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/xterm-238-1.fc10
Comment 2 Fedora Update System 2009-01-06 09:36:55 EST
xterm-238-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/xterm-238-1.fc9
Comment 3 Fedora Update System 2009-01-06 09:38:05 EST
xterm-238-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/xterm-238-1.fc8
Comment 4 Fedora Update System 2009-01-07 04:12:09 EST
xterm-238-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-01-07 04:16:46 EST
xterm-238-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-01-07 04:24:57 EST
xterm-238-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.