Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 May 2017 04:39:50 +0200
From: Marc Lehmann <schmorp@...morp.de>
To: Solar Designer <solar@...nwall.com>
Cc: "Jason A. Donenfeld" <Jason@...c4.com>,
	oss-security <oss-security@...ts.openwall.com>,
	rxvt-unicode@...ts.schmorp.de, rxvt@...morp.de
Subject: Re: terminal emulators' processing of escape sequences

On Wed, May 17, 2017 at 01:05:30PM +0200, Solar Designer <solar@...nwall.com> wrote:
> You're right that we provided "little to no information" - sorry.  I'll
> correct this now.
> 
> Jason's e-mail was in part prompted by my off-list message to him, where
> I wrote about this issue (or non-issue depending on one's perspective):

Thanks a lot, this makes a lot more sense. The confusing part was that the
patch sent by Jason in his mail had nothing to do with this issue.

> I think it's pretty bad, because unlike many other terminals' automated
> responses triggered by escapes, this one includes a linefeed.

I agree - rxvt-unicode shouldn't reply with a LF when in secure mode (this
is a policy). The sequence in question is also not used (or even usable,
as it queries the original rxvt graphics mode which is not implemented in
urxvt), so the next version will have it disabled, at least in secure mode
(the default).

> The risk probability is low, but this is nevertheless a valid security
> issue to patch.

I agree, it is a reasonable defense in depth mechanism where the benefit
clearly outweighs the disadvantages.

> (The pasted text appears to vary between "0" and "1".)

urxvt always replies with "\033G0\012" to indicate "graphics mode not
supported". It's quite possible the the original rxvt replies with other
sequences.

> Thus, a sentiment expressed in past discussions in here is that terminal
> emulators shouldn't have the riskiest escape sequences supported by
> default.  It is fully expected that malicious escape sequences can make

Again, I fully agree - I just couldn't make the connection between the
patch sent and these "riskiest escape sequences".

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp@...morp.de
      -=====/_/_//_/\_,_/ /_/\_\

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ