Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 May 2017 08:35:40 +0930
From: Simon Lees <sflees@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: terminal emulators' processing of escape sequences



On 05/02/2017 02:14 AM, Solar Designer wrote:
> Hi,
> 
> It is a well-known feature, previously discussed in here, that data
> printed to a terminal (emulator) may control that terminal, including
> making it effectively unusable until reset, and in some cases even
> pasting characters as if they were typed by the user.  Also as discussed
> what characters may be pasted varies by terminal - sometimes they can be
> arbitrary (e.g., if the terminal supports macro recording and playback
> via escape sequences) and sometimes not so (like a terminal reporting
> back its status, usually not followed by a linefeed, so not yet
> executing a shell command until further user assistance).  Here are some
> relevant threads:
> 
> http://www.openwall.com/lists/oss-security/2015/08/11/8
> http://www.openwall.com/lists/oss-security/2015/09/17/5
> http://www.openwall.com/lists/oss-security/2016/11/04/12
> 
> (I link to messages that started these threads, not necessarily to most
> informative messages in the threads.  So you might want to go through
> the threads with the "thread-next" links.)
> 
> Besides (mis)features, there may also be implementation bugs.  A couple
> of weeks ago, I brought in here vulnerabilities in terminal escape
> handling in minicom and prl-vzvncserver (both already fixed in latest
> versions by then):
> 
> http://www.openwall.com/lists/oss-security/2017/04/18/5
> 
> I already knew this wouldn't be the end of the story as some other
> terminal emulators exhibited suspicious behavior when targeted with
> streams of unusual escape sequences involving large or negative integer
> parameters.  I sent the following to the distros list on April 17,
> presented here with updates reflecting the current status.
> 
> 
> terminology:
> 
> ---
> ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x
> ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x
> ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x
> ---
> 

For reference terminology was fixed with this commit
https://phab.enlightenment.org/rTRM63d65ed4bb06094e6a8b6cafdc7c4cbfc62dd677

Thanks

-- 

Simon Lees (Simotek)                            http://simotek.net

Emergency Update Team                           keybase.io/simotek
SUSE Linux                           Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B



Download attachment "signature.asc" of type "application/pgp-signature" (485 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.