[ANNOUNCEMENT] xterm 348-1

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Thu Nov 7 17:03:00 GMT 2019 

On 2019-11-07 01:31, Thomas Wolff wrote:
> Am 07.11.2019 um 03:39 schrieb Takashi Yano:
>> ...
>> Wait. I have just found /etc/X11/app-defaults/XTerm has a entry
>> *VT100*eightBitInput: false
>> which is added from cygwin xterm 348-1.
>>
>> Removing this line or changing the value to true solves this issue.
>>
>> Katsumi, could you please check if this solves the issue?
> The option value of eightBitInput must not be set to false nowadays, it's a
> relic of ASCII times.
> There are a number of further questionable changes in /etc/X11/app-defaults/XTerm
> (not checked to other XTerm default entries there):
> 
>  < *backarrowKeyIsErase: true
>  < *metaSendsEscape: true
>  < *ptyInitialErase: true
>  > ! Cygwin Defaults
>  > +*backarrowKeyIsErase: true
>  > +*metaSendsEscape: true
>  > +*ptyInitialErase: true
> Using the obscure "+" prefix here seems to reset the option to its default,
> regardless of the given value. Clearer configuration would be preferrable.

Normal practice is to set the default value and comment out the entry.
Is this an obscure comment convention rather than !?

> Changing backarrowKeyIsErase and ptyInitialErase consistently may go unnoticed
> for most users, but it effectively switches away from the Linux habit to use DEL
> for the backarrow key, just to note.
> Setting metaSendsEscape to false make input inconsistent. Alt+x will still enter
> ESC x (for whatever reason) but Alt+ö will enter only ö (again, for whatever
> reason). Option value true makes this consistent.
> 
>  > ! Red Hat Defaults:
>  > *allowFontOps: false
>  > *allowTcapOps: false
> The "allow*" options are meant to provide security but I see no security problem
> with these two, particularly not TcapOps (which seems to be used by vim to
> fine-tune terminal feature usage).

In a malicious script, font size could be set to tiny, text made invisible, or
foreground set to match background, to hide or obscure execution of malicious
commands, such as those exploited using bashdoor/shellshock vulnerabilities,
plus xterm *ops exec code and shell vulnerabilities:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030?
https://www.cvedetails.com/vulnerability-list/vendor_id-5838/product_id-9872/Invisible-island-Xterm.html
https://www.cvedetails.com/vulnerability-list/vendor_id-88/product_id-170/X.org-Xterm.html
https://www.cvedetails.com/vulnerability-list/vendor_id-7100/product_id-11978/Xterm-Xterm.html

>  > *VT100*eightBitInput: false
> Must be true!
>  > *VT100*scrollBar: true
> Why not, but it's a change that users may dislike.
>  > *VT100*utf8Title: true
> Probably a good idea.
>  > *termName: xterm-256color
> For applications that make a difference in colour usage depending on the TERM
> setting, this updates mega-legacy 16 colours to legacy 256 colours.
> Note that xterm also supplies a terminfo entry "xterm-direct" to reflect true
> colour support. Using it would require an update of the terminfo package, too,
> though, to get the xterm-direct entry included.

You may submit a patch to the package/file(s) on the cygwin-apps list, and
perhaps also upstream to Thomas E. Dickey, with links to the issue and
discussion, if only for info.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list