Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1692 to the following vulnerability: Eterm 0.9.4 opens an xterm on :0 if -display is not specified and the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. Refences: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473127 http://secunia.com/advisories/29577
Confirmed on eterm-0.9.4-8.fc8 This issue is generally considered to have a very low security impact. See discussion on the oss-security mailing list. http://www.openwall.com/lists/oss-security/2008/03/04/1 http://marc.info/?l=oss-security&m=120464342901584&w=4 http://marc.info/?l=oss-security&m=120483883801309&w=4 It may still be worth changing /removing this unsafe default behavior in Rawhide for future versions of Fedora. Possible patch attached in Debian bug report.
Thanks for the report! Build available in koji: http://koji.fedoraproject.org/koji/buildinfo?buildID=45498 Will be included in F9 proper or as update.
An update release to fix bug # 467553 also fixed this issue for all active releases: F8, F9 and F10. What's the policy, can I close this ticket or should Security Response Team verify and possibly close it?
Upstream seems to have fixed this in 0.95, so fixed upstream version went to stable Fedora even before bug #467553, via: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-7549 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-7500 Just a note, -2 is not in F10 yet, but it does not really matter with respect to this bug, as -1 already is. Hence closing this.