Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250813170058.GE6936@qaa.vinc17.org>
Date: Wed, 13 Aug 2025 19:00:58 +0200
From: Vincent Lefevre <vincent@...c17.net>
To: oss-security@...ts.openwall.com
Subject: xterm terminal crash due to malicious character sequences in file
 name

The following makes the xterm terminal crash

  touch "$(printf "file\e[H\e[c\n\b")"
  gunzip file*

due to malicious character sequences in the file name and a bug in
xterm. Same issue with bunzip2 instead of gunzip.

Note that in practice, such a file name is not necessarily created by
the end user who runs gunzip. It may come from a downloaded archive
or from another user on a shared machine.

Is this regarded as a vulnerability, in particular due to the loss of
the shell session and associated data (which cannot be recovered)?

Which is or are the culprit(s)?
  * xterm itself (note that it is also possible to make some recent
    xterm versions crash without these usual escape sequences);
  * gzip and bzip2, which should sanitize the output to the terminal
    (like many other utilities already do nowadays);
  * the file system, which should not allow the creation of such
    file names (I don't know what POSIX says exactly)?

FYI, I've just reported bugs:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip
  https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2

(I had also reported 2 bugs against xterm related to its crash
in the Debian BTS.)

-- 
Vincent Lefèvre <vincent@...c17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.