Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Apr 2018 10:11:05 -0700
From: Ian Zimmerman <itz@...y.loosely.org>
To: oss-security@...ts.openwall.com
Subject: Re: Terminal Control Chars

On 2018-03-05 17:50, up201407890@...nos.dcc.fc.up.pt wrote:

> When pasting characters into several terminal emulators, control
> characters are allowed.  This turns to be a security problem, due to
> the fact that when pasting these characters into terminal text
> editors, such as vi/vim, emacs, nano, etc., remote code execution is
> possible.
> 
> This is supposed to be fixed in recent versions of VTE [3], which
> means VTE-based terminal emulators should be safe, but the problem is
> that most distros are shipping older versions and remain vulnerable.
> 
> Here's a list of terminal emulators I tested this where it
> worked. Some came by default in my distro (debian), others were
> installed via apt-get. This should also work on other distros:

[...]
> urxvt
[...]

> Please, update VTE and check if the below still works. For the others
> that aren't based on VTE, CVEs should be assigned to each of them. Can
> someone help me figure out which ones are based on VTE and those that
> aren't?

As far as I can see, urxvt (aka rxvt-unicode) does not use vte.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.