Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 May 2017 03:23:14 +0200
From: Marc Lehmann <schmorp@...morp.de>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
	rxvt-unicode@...ts.schmorp.de, rxvt@...morp.de
Subject: Re: terminal emulators' processing of escape sequences

On Wed, May 17, 2017 at 12:15:55AM +0200, "Jason A. Donenfeld" <Jason@...c4.com> wrote:
> On Wed, May 17, 2017 at 12:03 AM, Solar Designer <solar@...nwall.com> wrote:
> > Jason, Robert -
> >
> > On Tue, May 02, 2017 at 12:05:27AM +0200, Robert ??wi??cki wrote:
> >> A harmless example from rxvt - pushing back the new-line character:
> >>
> >> $ echo -ne "\eGQ;"
> >> ;$ 0
> >> bash: 0: command not found
> >
> > Does this also affect rxvt-unicode?
> 
> It does, actually. I've CCd rxvt-unicode upstream on this in order to
> hear their assessment.

There can't be an assessment without knowledge of what to assess - there
is little to no information in your mail. I can only guess that somebody
for the hundredth time found out that terminals are more than dumb
display devices and got excited that, somehow, this might be a security
issue. Without knowing details, I can't say for sure, but most likely,
this is a security issue the same way blindly feeding unknown commands to
your shell is, i.e., it's a problem somewhere else - the protocol between
terminals and programs is not a (strong) security barrier.

(your echo command is bash-specific, btw.)

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp@...morp.de
      -=====/_/_//_/\_,_/ /_/\_\

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ