COMMAND

    kvt

SYSTEMS AFFECTED

    KDE

PROBLEM

    Sebastian Wain posted following.   In the xterm there is a feature
    to change the title of the window You can change the title of  the
    window sending one of the escape codes of the xterm.  (linux:  man
    console_codes).  By example:

        ESC]2;This is my Xterm^G

    This escape code changes the xterm's title to "This is my Xterm"

    Obviously  You  can  do  the  same  using  the  kvt  (Kde  Virtual
    Terminal).  But  the kvt has  a buffer overflow.   If the size  of
    the new title of the window is  big enough then the kvt will do  a
    core dump.  This bug  follows the "reverse exploit" line,  if some
    program sends  this escape  code to  the kvt.   For Example,  when
    someone  connects  to  any  ftp  server  and  the server sends the
    Welcome Message, it will be easy to exploit this bug changing  the
    Welcome Message  (in the  .message file)  to one  with this escape
    code and to cause a buffer overflow.

    Another example where someone can cause a buffer overflow in  your
    machine is  simply doing  "cat hosts"  where hosts  may be  a file
    that you  received by  mail containing  the "change  window escape
    code".

    This bug shows some of the kvt's security problems being exploited
    via  a  "reverse  exploit"  or  a  exploit  sent  directly to your
    terminal (if the attacker can write to your kvt).  If this bug  is
    exploited,  then  the  attacker  can  obtain the privileges of the
    kvt's owner and  execute some arbitrary  code as this  user.  This
    bug was reported to the kde team by Larry Granroth in January:

        http://bugs.kde.org/db/33/332.html

    According to Simone Piunno, xterm too (version 3.3.2.3) coredumps.
    He tried this with:

        echo -e "\033]2;(60e+06 times 'a')\007"

    Konsole  seems  to  resist  even  with  a so long string.  Further
    testings showed:

        xterm 3.3.3.1b(88b) does NOT crash
        Eterm 0.8.9 does NOT crash
        wterm 6.2.7 does NOT crash
        kvt 0.18.7 DOES crash
        konsole 0.9.10 does NOT crash
        rxvt 2.4.7 does NOT crash

SOLUTION

    The new kde's version doesn't have this bug in the kconsole.   Kvt
    was replaced totally  by kconsole.   But the RedHat  6.0 installed
    with KDE has this bug.

    Patch for fvwm-2.2.2 because it hangs on long xterm name:

    *** events.c.orig	Mon Oct  4 11:36:49 1999
    --- events.c	Sun Oct  3 01:28:41 1999
    ***************
    *** 476,481 ****
    --- 476,485 ----
            free_window_names (Tmp_win, True, False);
    
            Tmp_win->name = (char *)text_prop.value;
    +       if (Tmp_win->name && strlen(Tmp_win->name) > 200)
    + 	/* limit to prevent hanging X server */
    + 	Tmp_win->name[200] = 0;
    +
            if (Tmp_win->name == NULL)
              Tmp_win->name = NoName;
            BroadcastName(M_WINDOW_NAME,Tmp_win->w,Tmp_win->frame,
    ***************
    *** 503,508 ****
    --- 507,515 ----
  	    return;
            free_window_names (Tmp_win, False, True);
            Tmp_win->icon_name = (char *) text_prop.value;
    +       if (Tmp_win->icon_name && strlen(Tmp_win->icon_name) > 200)
    + 	/* limit to prevent hanging X server */
    + 	Tmp_win->icon_name[200] = 0;
            if (Tmp_win->icon_name == NULL)
              Tmp_win->icon_name = NoName;
            BroadcastName(M_ICON_NAME,Tmp_win->w,Tmp_win->frame,