Gentoo Logo

Xfce Terminal: Remote arbitrary code execution

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200708-07 / terminal
Release Date August 11, 2007
Latest Revision July 12, 2008: 02
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
x11-terms/terminal < 0.2.6_p25931 >= 0.2.6_p25931 All supported architectures

Related bugreports: #184886

Synopsis

A vulnerability has been discovered in the Xfce Terminal program, allowing for the remote execution of arbitrary code.

2.  Impact Information

Background

Xfce Terminal is a console tool for the Xfce desktop environment.

Description

Lasse Karkkainen discovered that the function terminal_helper_execute() in file terminal-helper.c does not properly escape the URIs before processing.

Impact

A remote attacker could entice a user to open a specially crafted link, possibly leading to the remote execution of arbitrary code with the privileges of the user running Xfce Terminal. Note that the exploit code depends on the browser used to open the crafted link.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Xfce Terminal users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-terms/terminal-0.2.6_p25931"

4.  References



Print

Page updated August 11, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.