|   | 
| 
 | 
Message-ID: <aJzi-uY6brZyW2Mz@prl-debianold-64.jexium-island.net>
Date: Wed, 13 Aug 2025 15:09:46 -0400
From: Thomas Dickey <dickey@....com>
To: oss-security@...ts.openwall.com
Subject: Re: xterm terminal crash due to malicious character
 sequences in file name
On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote:
> The following makes the xterm terminal crash
> 
>   touch "$(printf "file\e[H\e[c\n\b")"
>   gunzip file*
> 
> due to malicious character sequences in the file name and a bug in
> xterm. Same issue with bunzip2 instead of gunzip.
> 
> Note that in practice, such a file name is not necessarily created by
> the end user who runs gunzip. It may come from a downloaded archive
> or from another user on a shared machine.
> 
> Is this regarded as a vulnerability, in particular due to the loss of
> the shell session and associated data (which cannot be recovered)?
Vincent omitted his custom configuration (reverseWrap), which affects the
number of users affected.
 
> Which is or are the culprit(s)?
>   * xterm itself (note that it is also possible to make some recent
>     xterm versions crash without these usual escape sequences);
>   * gzip and bzip2, which should sanitize the output to the terminal
>     (like many other utilities already do nowadays);
>   * the file system, which should not allow the creation of such
>     file names (I don't know what POSIX says exactly)?
> 
> FYI, I've just reported bugs:
> 
>   https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip
>   https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2
> 
> (I had also reported 2 bugs against xterm related to its crash
> in the Debian BTS.)
Dereferencing a null pointer:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769
(no buffer overflows, etc).
-- 
Thomas E. Dickey <dickey@...isible-island.net>
https://invisible-island.net
Download attachment "signature.asc" of type "application/pgp-signature" (660 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.