Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aJzi-uY6brZyW2Mz@prl-debianold-64.jexium-island.net>
Date: Wed, 13 Aug 2025 15:09:46 -0400
From: Thomas Dickey <dickey@....com>
To: oss-security@...ts.openwall.com
Subject: Re: xterm terminal crash due to malicious character
 sequences in file name

On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote:
> The following makes the xterm terminal crash
> 
>   touch "$(printf "file\e[H\e[c\n\b")"
>   gunzip file*
> 
> due to malicious character sequences in the file name and a bug in
> xterm. Same issue with bunzip2 instead of gunzip.
> 
> Note that in practice, such a file name is not necessarily created by
> the end user who runs gunzip. It may come from a downloaded archive
> or from another user on a shared machine.
> 
> Is this regarded as a vulnerability, in particular due to the loss of
> the shell session and associated data (which cannot be recovered)?

Vincent omitted his custom configuration (reverseWrap), which affects the
number of users affected.
 
> Which is or are the culprit(s)?
>   * xterm itself (note that it is also possible to make some recent
>     xterm versions crash without these usual escape sequences);
>   * gzip and bzip2, which should sanitize the output to the terminal
>     (like many other utilities already do nowadays);
>   * the file system, which should not allow the creation of such
>     file names (I don't know what POSIX says exactly)?
> 
> FYI, I've just reported bugs:
> 
>   https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip
>   https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2
> 
> (I had also reported 2 bugs against xterm related to its crash
> in the Debian BTS.)

Dereferencing a null pointer:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769

(no buffer overflows, etc).

-- 
Thomas E. Dickey <dickey@...isible-island.net>
https://invisible-island.net

Download attachment "signature.asc" of type "application/pgp-signature" (660 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.