Subject: pkg/20899: x11/rxvt and maybe other terms have security issues
To: None <gnats-bugs@gnats.netbsd.org>
From: None <reed@reedmedia.net>
List: netbsd-bugs
Date: 03/26/2003 16:59:19
>Number:         20899
>Category:       pkg
>Synopsis:       x11/rxvt and maybe other terms have security issues
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Mar 26 17:00:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6
>Organization:
http://bsd.reedmedia.net/
>Environment:
	
	
System: NetBSD rainier.reedmedia.net 1.6 NetBSD 1.6 (JCR-20020927) #3: Sat Sep 28 13:40:20 PDT 2002 reed@rainier.reedmedia.net:/usr/src/sys/arch/i386/compile/JCR-20020927 i386
Architecture: i386
Machine: i386
>Description:
See http://marc.theaimsgroup.com/?l=bugtraq&m=104612710031920&w=2
Please update pkgsrc/x11/rxvt to version rxvt-2.7.10.
from doc/changes:
        removed screen dump feature as it can aid as a security hole
        removed menubar escape sequence access as it can aid a security hole
        removed reporting of title and icon settings as they can aid a security
                hole

Or alternatively edit src/command.c and disable (with #if 0 )
XTerm_Menu (rxvt_menubar_dispatch) and XTerm_dumpscreen. But I think it is
better to fix than disable.

Other terms have issues too.
>How-To-Repeat:
	
>Fix:
	
>Release-Note:
>Audit-Trail:
>Unformatted: