Date: Mon, 9 Apr 2018 10:11:05 -0700 From: Ian Zimmerman <itz@...y.loosely.org> To: oss-security@...ts.openwall.com Subject: Re: Terminal Control Chars On 2018-03-05 17:50, up201407890@...nos.dcc.fc.up.pt wrote: > When pasting characters into several terminal emulators, control > characters are allowed. This turns to be a security problem, due to > the fact that when pasting these characters into terminal text > editors, such as vi/vim, emacs, nano, etc., remote code execution is > possible. > > This is supposed to be fixed in recent versions of VTE , which > means VTE-based terminal emulators should be safe, but the problem is > that most distros are shipping older versions and remain vulnerable. > > Here's a list of terminal emulators I tested this where it > worked. Some came by default in my distro (debian), others were > installed via apt-get. This should also work on other distros: [...] > urxvt [...] > Please, update VTE and check if the below still works. For the others > that aren't based on VTE, CVEs should be assigned to each of them. Can > someone help me figure out which ones are based on VTE and those that > aren't? As far as I can see, urxvt (aka rxvt-unicode) does not use vte. -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ