[15166] in bugtraq
Re: [rootshell.com] Xterm DoS Attack
daemon@ATHENA.MIT.EDU (Michael Jennings)
Fri Jun 2 16:25:56 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="RpDyejMaDGJhP2PU"
Content-Disposition: inline
Message-Id: <20000601192946.M6042@valinux.com>
Date: Thu, 1 Jun 2000 19:29:46 -0700
Reply-To: Michael Jennings <mej@VALINUX.COM>
From: Michael Jennings <mej@VALINUX.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0006011118280.17559-100000@ruff>; from
kit@ROOTSHELL.COM on Thu, Jun 01, 2000 at 11:21:16AM -0700
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Thursday, 01 June 2000, at 11:21:16 (-0700),
Kit Knox wrote:
> * xterm Denial of Service Attack
> * (C) 2000 Kit Knox <kit@rootshell.com> - 5/31/2000
> *
> * Tested against: xterm (XFree86 3.3.3.1b(88b) -- crashes
> * rxvt v2.6.1 -- consumes all available memory and then
> * crashes.
All current versions of Eterm are vulnerable. Attached are patches to
Eterm 0.8.10 and 0.9. Similar changes have been committed to 0.8.11
and 0.9.1 in CVS.
Michael
--
"Greater than the death of flesh is the death of hope, the death of
dreams. Against this peril we can never surrender."
-- G'Kar, Babylon 5
=======================================================================
Michael Jennings <mej@eterm.org> www.tcserv.com PGP Key ID: BED09971
Software Engineer, VA Linux Systems Author, Eterm (www.eterm.org)
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.8.10-DoS.patch"
Index: src/command.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/command.c,v
retrieving revision 1.1.1.1.2.7
diff -u -r1.1.1.1.2.7 command.c
--- src/command.c 1999/11/02 16:34:35 1.1.1.1.2.7
+++ src/command.c 2000/06/02 02:06:56
@@ -4694,6 +4694,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > scr->width || y > scr->height) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent, x, y);
break;
case 5:
@@ -4713,6 +4716,9 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ if (x > (scr->width / TermWin.fwidth) || y > (scr->height / TermWin.fheight)) {
+ return;
+ }
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_visible()? scrollbar_total_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder + (menubar_visible()? menuBar_TotalHeight() : 0));
--RpDyejMaDGJhP2PU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="Eterm-0.9-DoS.patch"
Index: src/term.c
===================================================================
RCS file: /cvs/enlightenment/Eterm/src/term.c,v
retrieving revision 1.33
diff -u -r1.33 term.c
--- src/term.c 2000/01/17 21:29:27 1.33
+++ src/term.c 2000/06/02 02:06:44
@@ -1232,6 +1232,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height);
+ UPPER_BOUND(x, scr->width);
XResizeWindow(Xdisplay, TermWin.parent, x, y);
#ifdef USE_XIM
xim_set_status_position();
@@ -1254,6 +1256,8 @@
return; /* Make sure there are 2 args left */
y = args[++i];
x = args[++i];
+ UPPER_BOUND(y, scr->height / TermWin.fheight);
+ UPPER_BOUND(x, scr->width / TermWin.fwidth);
XResizeWindow(Xdisplay, TermWin.parent,
Width2Pixel(x) + 2 * TermWin.internalBorder + (scrollbar_is_visible()? scrollbar_trough_width() : 0),
Height2Pixel(y) + 2 * TermWin.internalBorder);
--RpDyejMaDGJhP2PU--
