Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1493659500.2460.28.camel@debian.org>
Date: Mon, 01 May 2017 19:25:00 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: terminal emulators' processing of escape
 sequences

On Mon, 2017-05-01 at 18:44 +0200, Solar Designer wrote:
> Yves-Alexis Perez of Debian pointed out that whether these crashes occur
> or not may be related to the version of vte.  I'll leave it up to him to
> post a follow-up on that.

Indeed, original tests by Solar Designer and Jason A. Donenfeld might have
targeted xfce4-terminal 0.6 which is written in GTK2 and use vte2 while more
recent versions (starting 0.8) use GTK3 and vte3.

I tried running the perl script with current Debian sid and:

xfce4-terminal 0.8.4-1
libvte-2.91-0:amd64 0.46.1-1
libgtk-3-0:amd64 3.22.12-1

I wasn't able to make the process crash (it seems stuck at some point but the
window is somehow resized and I don't have access to the content so it' not
clear why).

Out of curiosity I also tried lxterminal (0.3.0-1) which is vte2 based, along
with:

libvte9 1:0.28.2-5+b
libgtk2.0-0:amd64 2.24.31-2

and I wasn't able to crash the process either. This time the perl process
terminates successfully.

Regards,
-- 
Yves-Alexis
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.