Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Apr 2018 10:11:05 -0700
From: Ian Zimmerman <itz@...y.loosely.org>
To: oss-security@...ts.openwall.com
Subject: Re: Terminal Control Chars

On 2018-03-05 17:50, up201407890@...nos.dcc.fc.up.pt wrote:

> When pasting characters into several terminal emulators, control
> characters are allowed.  This turns to be a security problem, due to
> the fact that when pasting these characters into terminal text
> editors, such as vi/vim, emacs, nano, etc., remote code execution is
> possible.
> 
> This is supposed to be fixed in recent versions of VTE [3], which
> means VTE-based terminal emulators should be safe, but the problem is
> that most distros are shipping older versions and remain vulnerable.
> 
> Here's a list of terminal emulators I tested this where it
> worked. Some came by default in my distro (debian), others were
> installed via apt-get. This should also work on other distros:

[...]
> urxvt
[...]

> Please, update VTE and check if the below still works. For the others
> that aren't based on VTE, CVEs should be assigned to each of them. Can
> someone help me figure out which ones are based on VTE and those that
> aren't?

As far as I can see, urxvt (aka rxvt-unicode) does not use vte.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ