From owner-freebsd-security Sun Sep 13 02:37:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA07628 for freebsd-security-outgoing; Sun, 13 Sep 1998 02:37:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tim.xenologics.com (tim.xenologics.com [194.77.5.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA07621 for ; Sun, 13 Sep 1998 02:37:42 -0700 (PDT) (envelope-from seggers@semyam.dinoco.de) Received: (from uucp@localhost) by tim.xenologics.com (8.8.5/8.8.8) with UUCP id LAA01582; Sun, 13 Sep 1998 11:36:43 +0200 (MET DST) Received: from semyam.dinoco.de (semyam.dinoco.de [127.0.0.1]) by semyam.dinoco.de (8.9.1/8.8.8) with ESMTP id LAA02989; Sun, 13 Sep 1998 11:32:40 +0200 (CEST) (envelope-from seggers@semyam.dinoco.de) Message-Id: <199809130932.LAA02989@semyam.dinoco.de> To: andrew@squiz.co.nz cc: Jay Tribick , freebsd-security@FreeBSD.ORG, seggers@semyam.dinoco.de Subject: Re: Err.. cat exploit.. (!) In-reply-to: Your message of "Fri, 11 Sep 1998 07:39:59 +1200." Date: Sun, 13 Sep 1998 11:32:39 +0200 From: Stefan Eggers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > about xterm escape sequences and so forth, but scanning through the > man page for xterm, the 'string' action stands out as potentially highly > dangerous unless care has been taken to limit it's impact. As I understand it these actions are meant for use in X resources to bind keys to certain actions. So if one makes sure that the resources are only loaded with user specified ones (as Xsession - which is used by xdm - seems to do if one doesn't have an ~/.xsession) and the X server disallows all accesses to other users only oneself can have set these. Or do I misunderstand something here? Stefan. -- Stefan Eggers Lu4 yao2 zhi1 ma3 li4, Max-Slevogt-Str. 1 ri4 jiu3 jian4 ren2 xin1. 51109 Koeln Federal Republic of Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message