Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170517012314.vyjnu3k7pgh5ey6s@schmorp.de>
Date: Wed, 17 May 2017 03:23:14 +0200
From: Marc Lehmann <schmorp@...morp.de>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
	rxvt-unicode@...ts.schmorp.de, rxvt@...morp.de
Subject: Re: terminal emulators' processing of escape sequences

On Wed, May 17, 2017 at 12:15:55AM +0200, "Jason A. Donenfeld" <Jason@...c4.com> wrote:
> On Wed, May 17, 2017 at 12:03 AM, Solar Designer <solar@...nwall.com> wrote:
> > Jason, Robert -
> >
> > On Tue, May 02, 2017 at 12:05:27AM +0200, Robert ??wi??cki wrote:
> >> A harmless example from rxvt - pushing back the new-line character:
> >>
> >> $ echo -ne "\eGQ;"
> >> ;$ 0
> >> bash: 0: command not found
> >
> > Does this also affect rxvt-unicode?
> 
> It does, actually. I've CCd rxvt-unicode upstream on this in order to
> hear their assessment.

There can't be an assessment without knowledge of what to assess - there
is little to no information in your mail. I can only guess that somebody
for the hundredth time found out that terminals are more than dumb
display devices and got excited that, somehow, this might be a security
issue. Without knowing details, I can't say for sure, but most likely,
this is a security issue the same way blindly feeding unknown commands to
your shell is, i.e., it's a problem somewhere else - the protocol between
terminals and programs is not a (strong) security barrier.

(your echo command is bash-specific, btw.)

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp@...morp.de
      -=====/_/_//_/\_,_/ /_/\_\

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.