Wed May 14 16:09:04 2008 Michael Jennings (mej)

(Correct) fix for CVE-2008-1692.  Eterm no longer defaults to using
":0" for $DISPLAY due to the possibility that an attacker can create a
fake X server on a shared system, intercept the Eterm X connection,
and send fake keystrokes to the victim's Eterm to execute arbitrary
commands as that user.

The previous fix, while it did indeed correct the vulnerability, broke
the --display option.  The original fix from Bernhard Link was more
correct, albeit not quite on target.
----------------------------------------------------------------------


SVN revision: 34574

1 files changed, 4 insertions, 8 deletions

diff --git a/src/startup.c b/src/startup.c
index e040476..8db77f8 100644
--- a/src/startup.c
+++ b/src/startup.c
@@ -95,13 +95,7 @@ eterm_bootstrap(int argc, char *argv[])
     init_libast();
 
     /* Open display, get options/resources and create the window */
-    if (getenv("DISPLAY") == NULL) {
-        /* do not default to any display due to security issues -- vapier
-         * http://article.gmane.org/gmane.comp.security.oss.general/122
-         */
-        libast_print_error("can't open display: DISPLAY not set\n");
-        exit(EXIT_FAILURE);
-    } else {
+    if (getenv("DISPLAY") != NULL) {
         display_name = STRDUP(getenv("DISPLAY"));
     }
 
@@ -119,8 +113,10 @@ eterm_bootstrap(int argc, char *argv[])
 #ifdef NEED_LINUX_HACK
     privileges(REVERT);
 #endif
+
     if (!Xdisplay && !(Xdisplay = XOpenDisplay(display_name))) {
-        libast_print_error("can't open display %s\n", display_name);
+        libast_print_error("Can't open display %s.  Set $DISPLAY or use --display\n",
+                           NONULL(display_name));
         exit(EXIT_FAILURE);
     }
     XSetErrorHandler((XErrorHandler) xerror_handler);