oss-sec mailing list archives
Re: terminal emulators' processing of escape sequences
From: Marc Lehmann <schmorp () schmorp de>
Date: Wed, 17 May 2017 03:23:14 +0200
On Wed, May 17, 2017 at 12:15:55AM +0200, "Jason A. Donenfeld" <Jason () zx2c4 com> wrote:
On Wed, May 17, 2017 at 12:03 AM, Solar Designer <solar () openwall com> wrote:Jason, Robert - On Tue, May 02, 2017 at 12:05:27AM +0200, Robert ??wi??cki wrote:A harmless example from rxvt - pushing back the new-line character: $ echo -ne "\eGQ;" ;$ 0 bash: 0: command not foundDoes this also affect rxvt-unicode?It does, actually. I've CCd rxvt-unicode upstream on this in order to hear their assessment.
There can't be an assessment without knowledge of what to assess - there is little to no information in your mail. I can only guess that somebody for the hundredth time found out that terminals are more than dumb display devices and got excited that, somehow, this might be a security issue. Without knowing details, I can't say for sure, but most likely, this is a security issue the same way blindly feeding unknown commands to your shell is, i.e., it's a problem somewhere else - the protocol between terminals and programs is not a (strong) security barrier. (your echo command is bash-specific, btw.) -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp () schmorp de -=====/_/_//_/\_,_/ /_/\_\
Current thread:
- terminal emulators' processing of escape sequences Solar Designer (May 01)
- Re: terminal emulators' processing of escape sequences Yves-Alexis Perez (May 01)
- Re: terminal emulators' processing of escape sequences Yves-Alexis Perez (May 01)
- Re: terminal emulators' processing of escape sequences Michal Zalewski (May 01)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 01)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 03)
- Re: terminal emulators' processing of escape sequences Solar Designer (May 16)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 16)
- Re: terminal emulators' processing of escape sequences Yui Hirasawa (May 19)
- Re: terminal emulators' processing of escape sequences Jason A. Donenfeld (May 17)
- Re: terminal emulators' processing of escape sequences Marc Lehmann (May 16)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 17)
- AW: terminal emulators' processing of escape sequences Fiedler Roman (May 17)
- Re: terminal emulators' processing of escape sequences Daniel Kahn Gillmor (May 17)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 17)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 17)
- Re: terminal emulators' processing of escape sequences Daniel Kahn Gillmor (May 18)
- Re: terminal emulators' processing of escape sequences Tavis Ormandy (May 19)
- Re: terminal emulators' processing of escape sequences Robert Święcki (May 01)
- Re: terminal emulators' processing of escape sequences Yves-Alexis Perez (May 01)
- Re: terminal emulators' processing of escape sequences Solar Designer (May 17)
- Re: terminal emulators' processing of escape sequences Marc Lehmann (May 17)
- rxvt-unicode "insecure" setting [Was: terminal emulators' processing of escape sequences] Ian Zimmerman (May 17)