CVE-2006-7236

NameCVE-2006-7236
DescriptionThe default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDTSA-182-1
Debian Bugs510030

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xterm (PTS)jessie, jessie (lts)312-2+deb8u4fixed
stretch (security), stretch (lts), stretch327-2+deb9u3fixed
buster344-1+deb10u2fixed
bullseye366-1+deb11u1fixed
bookworm379-1fixed
sid, trixie395-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
xtermsourceetch(not affected)
xtermsourcelenny235-2DTSA-182-1
xtermsource(unstable)238-1medium510030

Notes

[etch] - xterm <not-affected> (allowWindowOps disabled in configuration)
Somewhat mitigated by a filter for control characters in
post-etch versions.
Search for package or bug name: Reporting problems