A CVE has been assigned for a security issue fixed upstream in Terminology: http://openwall.com/lists/oss-security/2016/11/07/1 The issue may already be fixed in Cauldron and I'm not sure if the version in Mageia 5 is affected.
Debian has issued an advisory for this on November 13: https://www.debian.org/security/2016/dsa-3712
URL: (none) => http://lwn.net/Vulnerabilities/706397/
already fixed in cauldron.
CC: (none) => mageiaVersion: Cauldron => 5
i would be in favor of updating it on mga5 ( 0.7.0 + cve fix patch or syncing with cauldron version ).
qa, can you test if we are affected ? i don't think we are
Assignee: tremyfr => qa-bugs
Backtrail for CVE-2015-8971 https://www.debian.org/security/2016/dsa-3712 https://security-tracker.debian.org/tracker/CVE-2015-8971 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843434 I tried the test at http://www.openwall.com/lists/oss-security/2016/11/04/12 $ printf "\e]2;echo 'evil'\n\a\e]2;?\a" terminology-1.1.0-1.mga6 On mga6 with the latest updated terminology this was the result: $ printf "\e]2;echo 'evil'\n\a\e]2;?\a" ^[]2;Terminology^G[lcl@belexeuli ~]$ 2;Terminology bash: 2: command not found bash: Terminology: command not found terminology-0.6.1-6.mga5 On mga5 with the Core version of terminology the command had no visible effect; it was ignored.
CC: (none) => tarazed25
M5/64 following Len (thanks for the example to try): terminology-0.6.1-6.mga5 (issued version) Under Mate, started terminolgy from the System Tools menu (starting it from a terminal seems wierd). Its terminal window is tiny with a tiny font. $ printf "\e]2;echo 'evil'\n\a\e]2;?\a" $ as Len said, did nothing. "When it is, at some later point, displayed to the user, "echo 'evil'\n" gets written to the user's terminal's input buffer, resulting in that command being executed by the "user's shell." Not proven. To compare with MGA6. Can someone please decide whether to update this package or not. If an update for the CVE is known, why not do it?
CC: (none) => lewyssmith
Keywords: (none) => feedback
Trying this on M6/64 just for a comparison : terminology-1.1.0-1.mga6 [far ahead of that for Mageia 5] FWIW, the result is not too clever: $ printf "\e]2;echo 'evil'\n\a\e]2;?\a" ^[]2;Terminology^G[lewis@localhost ~]$ 2;Terminology Full prompt = '[lewis@localhost ~]$' so <Enter> yields understandably: bash: 2: command not found bash: Terminology: command not found $ Nothing to learn here, alas.
My previous comment merely replicated (I overlooked) Len's Comment 5. Myself: > Nothing to learn here, alas. is not true. If we do the proposed update, presumably this is the result we can expect. Repeat: Please can someone decide whether to update terminolgy for M5. If not, please remove this bug from the updates list. It is not in M5 Updates Testing; we have no update to test, and have been wasting time on this.
Determining if it needed to be updated was what Nicolas was asking QA to do. It looks like the answer is no. Thanks.
Status: NEW => RESOLVEDKeywords: feedback => (none)Resolution: (none) => FIXEDCC: mageia => qa-bugsAssignee: qa-bugs => mageiaVersion: 5 => Cauldron