LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 20th, 2014
Linux Advisory Watch: October 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: xfce4-terminal vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly escape shell meta-characters during "Open Link" actions. If a remote attacker tricked a user into opening a specially crafted URI, they could execute arbitrary commands with the user's privileges.
=========================================================== 
Ubuntu Security Notice USN-497-1            August 14, 2007
xfce4-terminal vulnerability
CVE-2007-3770
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  xfce4-terminal                           0.2.5+r21674-0ubuntu2.1

Ubuntu 6.10:
  xfce4-terminal                           0.2.5.4-0ubuntu2.1

Ubuntu 7.04:
  xfce4-terminal                           0.2.6-0ubuntu3.1

After a standard system upgrade you need to restart your session to
effect the necessary changes.

Details follow:

Lasse Kärkkäinen discovered that the Xfce Terminal did not correctly
escape shell meta-characters during "Open Link" actions.  If a remote
attacker tricked a user into opening a specially crafted URI, they could
execute arbitrary commands with the user's privileges.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1.diff.gz
      Size/MD5:     7892 902a748e0c0fe963aed9f62d7492247c
    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1.dsc
      Size/MD5:      982 7ab2af378e2db311101541887b3d899f
    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674.orig.tar.gz
      Size/MD5:  1719502 202f3d5364127ee2cd3434e7fecad5d2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_amd64.deb
      Size/MD5:  1005574 5b196f5dc586000452233f215248423b

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_i386.deb
      Size/MD5:   998716 7476e02c550b2876da957249e126ba91

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_powerpc.deb
      Size/MD5:  1002380 eec3f73feb99b58aaef302ffa0cf24b8

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5+r21674-0ubuntu2.1_sparc.deb
      Size/MD5:  1000628 822e33229ad34eb7703051a8ea3eab88

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1.diff.gz
      Size/MD5:     7764 6759a5320fc94d1c95d2fd68dbbf974d
    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1.dsc
      Size/MD5:      967 5556541b5e806d77a068018609d97674
    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4.orig.tar.gz
      Size/MD5:  1914192 858ff414d46c2bdd695da3874ef01090

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_amd64.deb
      Size/MD5:  1010080 607dc6c46565dac2cfa378134e5d91e2

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_i386.deb
      Size/MD5:  1004880 343ed30f5a69e7caeb081269c7300b31

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_powerpc.deb
      Size/MD5:  1006248 2c3e3ff2ceb6711f055b4e1af3c28607

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.5.4-0ubuntu2.1_sparc.deb
      Size/MD5:  1004086 b7744640ce68f8f8d8763dee3414ffb8

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1.diff.gz
      Size/MD5:     8617 2ed6e7705918937831599b2c3d366777
    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1.dsc
      Size/MD5:     1043 435a5294f568d44abbd907bec892e50e
    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6.orig.tar.gz
      Size/MD5:  1989139 c93cc68cc7656dfcb57118a999b79242

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_amd64.deb
      Size/MD5:  1014248 8af1dd3b37a96344c3a892de94745867

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_i386.deb
      Size/MD5:  1008944 a3e14fefeecbc2b3128652b809c5a27a

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_powerpc.deb
      Size/MD5:  1019758 fd1f70e5262180924f1f741f8abf79b7

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xfce4-terminal/xfce4-terminal_0.2.6-0ubuntu3.1_sparc.deb
      Size/MD5:  1012044 3539fef005cc32fa15e331870b3313bb


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
USB is now UEC (use with extreme caution)
iPhone Encryption and the Return of the Crypto Wars
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.