Date: Thu, 27 Mar 2008 03:03:22 +0100 From: Robert Buchholz <rbu@...too.org> To: oss-security@...ts.openwall.com Subject: Re: request CVE id: insecure handling of DISPLAY in rxvt On Tuesday 04 March 2008, Nico Golde wrote: > It should be a good idea to check other terminal emulators > as well. The same issue also exists in: aterm, tested 1.0.1 eterm, tested 0.9.4 mrxvt, tested 0.5.3 multi-aterm, tested 0.2.1 rxvt-unicode, tested 8.3 and 8.9 wterm, tested with 6.2.9 This is almost half of the terminal emulators I tried. There are probably tons of other X applications doing this, not all with the impact of a shell, but many allow starting other programs one way or another. Reading the attack vector, I would consider it a vulnerability, but looking at the amount of programs that fall into this category, I'm worried how many programs do this and if the low impact is really worth fixing all of them. Robert Download attachment "signature.asc " of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.