Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 18 May 2017 04:39:50 +0200
From: Marc Lehmann <schmorp@...morp.de>
To: Solar Designer <solar@...nwall.com>
Cc: "Jason A. Donenfeld" <Jason@...c4.com>,
	oss-security <oss-security@...ts.openwall.com>,
	rxvt-unicode@...ts.schmorp.de, rxvt@...morp.de
Subject: Re: terminal emulators' processing of escape sequences

On Wed, May 17, 2017 at 01:05:30PM +0200, Solar Designer <solar@...nwall.com> wrote:
> You're right that we provided "little to no information" - sorry.  I'll
> correct this now.
> 
> Jason's e-mail was in part prompted by my off-list message to him, where
> I wrote about this issue (or non-issue depending on one's perspective):

Thanks a lot, this makes a lot more sense. The confusing part was that the
patch sent by Jason in his mail had nothing to do with this issue.

> I think it's pretty bad, because unlike many other terminals' automated
> responses triggered by escapes, this one includes a linefeed.

I agree - rxvt-unicode shouldn't reply with a LF when in secure mode (this
is a policy). The sequence in question is also not used (or even usable,
as it queries the original rxvt graphics mode which is not implemented in
urxvt), so the next version will have it disabled, at least in secure mode
(the default).

> The risk probability is low, but this is nevertheless a valid security
> issue to patch.

I agree, it is a reasonable defense in depth mechanism where the benefit
clearly outweighs the disadvantages.

> (The pasted text appears to vary between "0" and "1".)

urxvt always replies with "\033G0\012" to indicate "graphics mode not
supported". It's quite possible the the original rxvt replies with other
sequences.

> Thus, a sentiment expressed in past discussions in here is that terminal
> emulators shouldn't have the riskiest escape sequences supported by
> default.  It is fully expected that malicious escape sequences can make

Again, I fully agree - I just couldn't make the connection between the
patch sent and these "riskiest escape sequences".

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp@...morp.de
      -=====/_/_//_/\_,_/ /_/\_\

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.