|
|
Date: Mon, 08 May 2017 08:31:41 -0400
From: Ryan Munz <gcoc.devops@...il.com>
To: <oss-security@...ts.openwall.com>
Subject: Re: terminal emulators' processing of escape sequences
iTerm2 would be another excellent test target as it is very popular.
On 5/7/17, 10:03 PM, "Shiz" <hi@...z.me> wrote:
> On 1 May 2017, at 18:44, Solar Designer <solar@...nwall.com> wrote:
>
> Unfortunately, I did not record which terminal emulators did not crash
> for me. However, Jason recorded both kinds of results for him, coming
> up with:
>
> Konsole: no crash
> Xterm: no crash
> rxvt: crash
> Yakuake: no crash
> Mosh (which is a terminal emulator, after all): no crash
> Screen: 100% CPU usage --> DoS
> rxvt-unicode: no crash
> Qterminal: no crash
> putty: no crash
>
> This adds "screen" to terminal emulators with problematic processing of
> terminal escapes. Due to minor known impact, we did not handle this
> under embargo - it should be investigated and fixed now, in public.
Despite not being open source and thus unfit for the list, I can confirm this
also causes high CPU usage for macOS Terminal.app, version 2.7.1 (387),
as shipped on macOS 10.12.1.
- Shiz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.