CVE-2008-1142

Name of the Vulnerable Software and Affected Versions rxvt version 2.6.4 rxvt-unicode (affected versions not specified) mrxvt (affected versions not specified) aterm versions prior to 1.0.1-r1 multi-aterm (affected versions not specified) wterm (affected versions not specified)

Description The issue allows local users to potentially hijack X11 connections if the DISPLAY environment variable is not set, which could lead to violations of confidentiality, integrity, and availability of protected information. Realistic attack scenarios require the victim to enter a command on the wrong machine. The exploitation of these issues can be carried out locally.

Recommendations For rxvt version 2.6.4, update to a version where this issue is fixed, if available. For rxvt-unicode, consider disabling the feature that opens a terminal window on :0 if the DISPLAY environment variable is not set until a patch is available. For mrxvt, restrict access to the terminal window on :0 to minimize the risk of exploitation. For aterm versions prior to 1.0.1-r1, update to version 1.0.1-r1 or later. For multi-aterm, avoid using the terminal window on :0 until the issue is resolved. For wterm, consider disabling the terminal window on :0 if the DISPLAY environment variable is not set as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some of the affected software.