Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Aug 2015 22:06:48 +0100
From: Stephane Chazelas <>
Subject: Re: Terminal escape sequences - the new XSS for admins?

2015-08-11 16:29:04 -0400, Steve Grubb:
> A lot were based on the vte package. So, I dug into the vte package. In the 
> file, vteseq.c, is this:
>                 case 21:
>                         /* Report a static window title, since the real
>                            window title should NEVER be reported, as it
>                            creates a security vulnerability.  See
>                            and CVE-2003-0070. */
>                         _vte_debug_print(VTE_DEBUG_PARSE,
>                                         "Reporting fake window title.\n");
>                         /* never use terminal->window_title here! */
>                         g_snprintf (buf, sizeof (buf),
>                                     _VTE_CAP_OSC "lTerminal" _VTE_CAP_ST);
>                         vte_terminal_feed_child(terminal, buf, -1);
>                         break;
> At this point, I was convinced that most major emulators are safe. That 
> said...there are all the ones I didn't check including older ones. The older 
> ones are likely to be the ones I'd be most concerned about.

Yes, it's the kind of vulnerabilities that were exploited
decades ago and were fixed then.

Now, the authors of newer ones can forget about them.

terminology has a few dangerous escape sequences (including
reporting window title, but also reading arbitrary files and
sending arbitrary HTTP requests), as discussed at


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.