Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Z3f9N0Qo-qIJXfJO@netmeister.org>
Date: Fri, 3 Jan 2025 10:07:35 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: iTerm2 < 3.5.11 logs input/ouput to /tmp/framer.txt on remote host

iterm2 (https://iterm2.com), a popular Terminal.app
replacement for macOS, announced a vulnerability in
versions < 3.5.11 whereby input/output from an SSH
connection may be logged to the file /tmp/framer.txt
on the remote host.  To the best of my knowledge,
there is no CVE associated with this vulnerability.

The announcement (below) notes that this file "may be
readable by other users", presumably depending on the
user's umask on that system.

iterm2 is published under the GPL with source code
available here:
https://github.com/gnachman/iTerm2


Announcement and change log:
https://iterm2.com/downloads/stable/iTerm2-3_5_11.changelog

---

Version 3.5.11 of iTerm2 was built on January 2, 2025.

This release contains a critical security fix. I
strongly recommend updating immediately.

Who is affected?
----------------
You may be affected if you used the SSH
integration feature in any of the following
versions:

* 3.5.6
* 3.5.7
* 3.5.8
* 3.5.9
* 3.5.10
* Any beta versions of 3.5.6 and later.

What is the issue?
------------------
A bug in the SSH integration feature caused input
and output to be logged to a file on the remote
host. This file, /tmp/framer.txt, may be readable
by other users on the remote host.

When does this occur?
---------------------
The issue occurs if both of the following conditions
are true:

1. Either:
   a) You used the it2ssh command, or
   b) In Settings > Profiles > General, the
      Command popup menu was set to "SSH" (not
      "Login Shell", "Command", or "Custom
      Command") AND "SSH Integration" was checked
      in the SSH configuration dialog. That dialog
      is shown when you click the Configure button
      next to the ssh arguments field in Settings.
2. The remote host has Python 3.7 or later
   installed in its default search path.

What should you do?
-------------------
* Upgrade immediately to version 3.5.11.
* Delete /tmp/framer.txt on affected hosts.

How I'm addressing this
-----------------------
I deeply regret this mistake and will take steps
to ensure it never happens again.

The code to write to log files in SSH integration
has been deleted and will not be publicly released
again.

If you have questions you can contact me at
gnachman@...il.com.

SHA-256 of the zip file is
You can use the following to verify the zip file on
https://keybase.io/verify:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

655e32b4a9466104f1b0d8847e852515bc332bdf434801762e01b9625caa43e2
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQSAPIQGkYVsjnBRo2J0Et0TaFtKrAUCZ3br8gAKCRB0Et0TaFtK
rLntAQDqPcKkRA23Wo5/XuB2lymF8n+0GK3E+ZT3MYbTNgsnSQD/Xgt7V9QhP42n
QmQpnmb804FrHkCnqIJMvcBAim6AbBM=
=Zlrw
-----END PGP SIGNATURE-----

---

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.