Bug 123521
Summary: | CAN-2003-0070 gnome terminal still vulnerable to command line insertion? | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Downes <david> |
Component: | vte | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | barryn, dickey, mjc, nalin, wtogami |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-06-18 19:50:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Downes
2004-05-19 00:11:24 UTC
That sounds like the answerback string. But I changed that to an empty string 4 years ago (perhaps Redhat's customization of app-defaults added it back). There was a whole raft of security updates to various terminal emulators, see CAN-2003-0063 for a reference. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0063 This issue might still affect gnome-terminal, needs testing. However note that you still need to convince someone to press return in order to execute the command. *** Bug 103804 has been marked as a duplicate of this bug. *** Hi David. vte (the component which gnome-terminal is built on) interprets some unprintable "control" characters specially to provide features for programs to be able to set the window title, move the cursor around, switching the font to symbols (for drawing), and things of that nature. Most recognized sequences of unprintable characters only cause some visual change, but there are a few that will cause strings to be injected directly onto the console. In particular, with versions of vte 0.11.10 and older the character ENQ (control-E) displayed "xterm". When you cat binary data, the terminal can misinterpret parts of that data as control characters. This is why xterm is popping up. Note, newer versions of vte (and xterm) don't return "xterm", but instead return an empty string when reading the ENQ character. For more information see the upstream bug reports: http://bugzilla.gnome.org/show_bug.cgi?id=114334 http://bugzilla.gnome.org/show_bug.cgi?id=116495 Before version 0.10.25, vte would allow the window title to be sent to the console, which had security issues. Newer versions of vte will not do this, however. |