Date: Mon, 3 Aug 2020 16:41:37 +0200 From: "Jason A. Donenfeld" <Jason@...c4.com> To: security@...ntu.com, oss-security <oss-security@...ts.openwall.com> Subject: ansi escape sequence injection into ubuntu's add-apt-repository Hi, I've found a rather low grade concern: I'm able to inject ANSI escape sequences into PPA descriptions on Launchpad, and then have them rendered by add-apt-repository *before* the user consents to actually adding that repository. There might be some sort of trust barrier issue with that. This could be used to clear the screen and imitate a fresh bash prompt, upload files, dump the current screen to a file, or other classic shenanigans, well chronicled in the archives of oss-sec. PoC time -- I'm using this "feature" for good at the moment to announce the deprecation in bold text of a PPA that I maintain: https://data.zx2c4.com/add-apt-repository-ansi-injection.png The proper fix to this is likely to do sanitization on the add-apt-repository side. Regards, Jason
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.