CVE-2006-7236

NameCVE-2006-7236
DescriptionThe default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDTSA-182-1
Debian Bugs510030

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xterm (PTS)bullseye366-1+deb11u1fixed
bookworm379-1fixed
sid, trixie398-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xtermsourceetch(not affected)
xtermsourcelenny235-2DTSA-182-1
xtermsource(unstable)238-1medium510030

Notes

[etch] - xterm <not-affected> (allowWindowOps disabled in configuration)
Somewhat mitigated by a filter for control characters in
post-etch versions.
Search for package or bug name: Reporting problems