Date: Thu, 18 May 2017 08:35:40 +0930 From: Simon Lees <sflees@...e.de> To: oss-security@...ts.openwall.com Subject: Re: terminal emulators' processing of escape sequences On 05/02/2017 02:14 AM, Solar Designer wrote: > Hi, > > It is a well-known feature, previously discussed in here, that data > printed to a terminal (emulator) may control that terminal, including > making it effectively unusable until reset, and in some cases even > pasting characters as if they were typed by the user. Also as discussed > what characters may be pasted varies by terminal - sometimes they can be > arbitrary (e.g., if the terminal supports macro recording and playback > via escape sequences) and sometimes not so (like a terminal reporting > back its status, usually not followed by a linefeed, so not yet > executing a shell command until further user assistance). Here are some > relevant threads: > > http://www.openwall.com/lists/oss-security/2015/08/11/8 > http://www.openwall.com/lists/oss-security/2015/09/17/5 > http://www.openwall.com/lists/oss-security/2016/11/04/12 > > (I link to messages that started these threads, not necessarily to most > informative messages in the threads. So you might want to go through > the threads with the "thread-next" links.) > > Besides (mis)features, there may also be implementation bugs. A couple > of weeks ago, I brought in here vulnerabilities in terminal escape > handling in minicom and prl-vzvncserver (both already fixed in latest > versions by then): > > http://www.openwall.com/lists/oss-security/2017/04/18/5 > > I already knew this wouldn't be the end of the story as some other > terminal emulators exhibited suspicious behavior when targeted with > streams of unusual escape sequences involving large or negative integer > parameters. I sent the following to the distros list on April 17, > presented here with updates reflecting the current status. > > > terminology: > > --- > ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x > ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x > ERR<10676>:termpty termptyesc.c:1115 _handle_esc_csi() unhandled CSI 'x': 2147483647;0x > --- > For reference terminology was fixed with this commit https://phab.enlightenment.org/rTRM63d65ed4bb06094e6a8b6cafdc7c4cbfc62dd677 Thanks -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B Download attachment "signature.asc" of type "application/pgp-signature" (485 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.