Date: Thu, 18 May 2017 04:39:50 +0200 From: Marc Lehmann <schmorp@...morp.de> To: Solar Designer <solar@...nwall.com> Cc: "Jason A. Donenfeld" <Jason@...c4.com>, oss-security <oss-security@...ts.openwall.com>, rxvt-unicode@...ts.schmorp.de, rxvt@...morp.de Subject: Re: terminal emulators' processing of escape sequences On Wed, May 17, 2017 at 01:05:30PM +0200, Solar Designer <solar@...nwall.com> wrote: > You're right that we provided "little to no information" - sorry. I'll > correct this now. > > Jason's e-mail was in part prompted by my off-list message to him, where > I wrote about this issue (or non-issue depending on one's perspective): Thanks a lot, this makes a lot more sense. The confusing part was that the patch sent by Jason in his mail had nothing to do with this issue. > I think it's pretty bad, because unlike many other terminals' automated > responses triggered by escapes, this one includes a linefeed. I agree - rxvt-unicode shouldn't reply with a LF when in secure mode (this is a policy). The sequence in question is also not used (or even usable, as it queries the original rxvt graphics mode which is not implemented in urxvt), so the next version will have it disabled, at least in secure mode (the default). > The risk probability is low, but this is nevertheless a valid security > issue to patch. I agree, it is a reasonable defense in depth mechanism where the benefit clearly outweighs the disadvantages. > (The pasted text appears to vary between "0" and "1".) urxvt always replies with "\033G0\012" to indicate "graphics mode not supported". It's quite possible the the original rxvt replies with other sequences. > Thus, a sentiment expressed in past discussions in here is that terminal > emulators shouldn't have the riskiest escape sequences supported by > default. It is fully expected that malicious escape sequences can make Again, I fully agree - I just couldn't make the connection between the patch sent and these "riskiest escape sequences". -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@...morp.de -=====/_/_//_/\_,_/ /_/\_\
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ