Bug 123521
| Summary: | CAN-2003-0070 gnome terminal still vulnerable to command line insertion? | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Downes <david> |
| Component: | vte | Assignee: | Ray Strode [halfline] <rstrode> |
| Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | barryn, dickey, mjc, nalin, wtogami |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-06-18 19:50:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
That sounds like the answerback string. But I changed that to an empty string 4 years ago (perhaps Redhat's customization of app-defaults added it back). There was a whole raft of security updates to various terminal emulators, see CAN-2003-0063 for a reference. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0063 This issue might still affect gnome-terminal, needs testing. However note that you still need to convince someone to press return in order to execute the command. *** Bug 103804 has been marked as a duplicate of this bug. *** Hi David. vte (the component which gnome-terminal is built on) interprets some unprintable "control" characters specially to provide features for programs to be able to set the window title, move the cursor around, switching the font to symbols (for drawing), and things of that nature. Most recognized sequences of unprintable characters only cause some visual change, but there are a few that will cause strings to be injected directly onto the console. In particular, with versions of vte 0.11.10 and older the character ENQ (control-E) displayed "xterm". When you cat binary data, the terminal can misinterpret parts of that data as control characters. This is why xterm is popping up. Note, newer versions of vte (and xterm) don't return "xterm", but instead return an empty string when reading the ENQ character. For more information see the upstream bug reports: http://bugzilla.gnome.org/show_bug.cgi?id=114334 http://bugzilla.gnome.org/show_bug.cgi?id=116495 Before version 0.10.25, vte would allow the window title to be sent to the console, which had security issues. Newer versions of vte will not do this, however. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040312 Description of problem: After typing 'cat' in a Gnome terminal, with one of the usb devices as argument, an 'xterm' string appears. This would seem to be unsafe default behaviour, if it is intentional. Have tried it on several different usb devices and the result is the same e.g. [dd@localhost dd]$ cat /proc/bus/usb/001/001 @ �[dd@localhost dd]$ xterm [dd@localhost dd]$ cat /proc/bus/usb/002/001 @ ��[dd@localhost dd]$ xterm [dd@localhost dd]$ Version-Release number of selected component (if applicable): kernel-2.6.5-1.327 How reproducible: Always Steps to Reproduce: 1.open terminal window 2.type 'cat /proc/bus/usb/001/001' 3.press return Actual Results: [dd@localhost dd]$ cat /proc/bus/usb/001/001 @ �xterm[dd@localhost dd]$ xterm [dd@localhost dd]$ new xterm appears on desk top Expected Results: xterm should not be appearing when arbitrarily using cat on files in proc Additional info: