From 883b2660af38b96403559ec253401feca03927a6 Mon Sep 17 00:00:00 2001 From: Michael Jennings Date: Wed, 14 May 2008 23:16:54 +0000 Subject: Wed May 14 16:09:04 2008 Michael Jennings (mej) (Correct) fix for CVE-2008-1692. Eterm no longer defaults to using ":0" for $DISPLAY due to the possibility that an attacker can create a fake X server on a shared system, intercept the Eterm X connection, and send fake keystrokes to the victim's Eterm to execute arbitrary commands as that user. The previous fix, while it did indeed correct the vulnerability, broke the --display option. The original fix from Bernhard Link was more correct, albeit not quite on target. ---------------------------------------------------------------------- SVN revision: 34574 --- ChangeLog | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index cf8cb51..09fd044 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5565,3 +5565,15 @@ Wed May 14 15:26:13 2008 Michael Jennings (mej) Patch from Emmanuel Anne to fix cut/paste with KDE applications. ---------------------------------------------------------------------- +Wed May 14 16:09:04 2008 Michael Jennings (mej) + +(Correct) fix for CVE-2008-1692. Eterm no longer defaults to using +":0" for $DISPLAY due to the possibility that an attacker can create a +fake X server on a shared system, intercept the Eterm X connection, +and send fake keystrokes to the victim's Eterm to execute arbitrary +commands as that user. + +The previous fix, while it did indeed correct the vulnerability, broke +the --display option. The original fix from Bernhard Link was more +correct, albeit not quite on target. +---------------------------------------------------------------------- -- cgit v1.2.1