Gentoo Logo

Xfce Terminal: Remote arbitrary code execution

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200708-07 / terminal
Release Date August 11, 2007
Latest Revision August 11, 2007: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
xfce-extra/terminal < 0.2.6_p25931 >= 0.2.6_p25931 All supported architectures

Related bugreports: #184886

Synopsis

A vulnerability has been discovered in the Xfce Terminal program, allowing for the remote execution of arbitrary code.

2.  Impact Information

Background

Xfce Terminal is a console tool for the Xfce desktop environment.

Description

Lasse Karkkainen discovered that the function terminal_helper_execute() in file terminal-helper.c does not properly escape the URIs before processing.

Impact

A remote attacker could entice a user to open a specially crafted link, possibly leading to the remote execution of arbitrary code with the privileges of the user running Xfce Terminal. Note that the exploit code depends on the browser used to open the crafted link.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Xfce Terminal users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=xfce-extra/terminal-0.2.6_p25931"

4.  References

Print

Updated August 11, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL

Support OSL

Gentoo Centric Hosting: vr.org

VR Hosted

Tek Alchemy

Tek Alchemy

SevenL.net

SevenL.net

Global Netoptex Inc.

Global Netoptex Inc.

Bytemark

Bytemark

Linux World Expo

Linux World Expo
Copyright 2001-2008 Gentoo Foundation, Inc. Questions, Comments? Contact us.