|
Message-ID: <20150811210648.GB8477@chaz.gmail.com> Date: Tue, 11 Aug 2015 22:06:48 +0100 From: Stephane Chazelas <stephane.chazelas@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Terminal escape sequences - the new XSS for admins? 2015-08-11 16:29:04 -0400, Steve Grubb: [....] > A lot were based on the vte package. So, I dug into the vte package. In the > file, vteseq.c, is this: > > case 21: > /* Report a static window title, since the real > window title should NEVER be reported, as it > creates a security vulnerability. See > http://marc.info/?l=bugtraq&m=104612710031920&w=2 > and CVE-2003-0070. */ > _vte_debug_print(VTE_DEBUG_PARSE, > "Reporting fake window title.\n"); > /* never use terminal->window_title here! */ > g_snprintf (buf, sizeof (buf), > _VTE_CAP_OSC "lTerminal" _VTE_CAP_ST); > vte_terminal_feed_child(terminal, buf, -1); > break; > > At this point, I was convinced that most major emulators are safe. That > said...there are all the ones I didn't check including older ones. The older > ones are likely to be the ones I'd be most concerned about. [...] Yes, it's the kind of vulnerabilities that were exploited decades ago and were fixed then. Now, the authors of newer ones can forget about them. terminology has a few dangerous escape sequences (including reporting window title, but also reading arbitrary files and sending arbitrary HTTP requests), as discussed at http://unix.stackexchange.com/questions/213799/can-bash-write-to-its-own-input-stream/213821#comment362700_213805 -- Stephane
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.