Bug 1961358

Summary: rxvt: Terminal emulator processing of escape sequences flaw
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amurdaca, andreas.bierfert, dcantrell, mtasaka, rharwood
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-17 20:33:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961359, 1961360, 1961361, 1961795, 1961796, 1961797    
Bug Blocks:    

Description Pedro Sampaio 2021-05-17 18:44:11 UTC 
Date: Mon, 1 May 2017 18:44:28 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: terminal emulators' processing of escape sequences

Hi,

It is a well-known feature, previously discussed in here, that data
printed to a terminal (emulator) may control that terminal, including
making it effectively unusable until reset, and in some cases even
pasting characters as if they were typed by the user.  Also as discussed
what characters may be pasted varies by terminal - sometimes they can be
arbitrary (e.g., if the terminal supports macro recording and playback
via escape sequences) and sometimes not so (like a terminal reporting
back its status, usually not followed by a linefeed, so not yet
executing a shell command until further user assistance).  Here are some
relevant threads:

http://www.openwall.com/lists/oss-security/2015/08/11/8
http://www.openwall.com/lists/oss-security/2015/09/17/5
http://www.openwall.com/lists/oss-security/2016/11/04/12

(I link to messages that started these threads, not necessarily to most
informative messages in the threads.  So you might want to go through
the threads with the "thread-next" links.)

Besides (mis)features, there may also be implementation bugs.  A couple
of weeks ago, I brought in here vulnerabilities in terminal escape
handling in minicom and prl-vzvncserver (both already fixed in latest
versions by then):

http://www.openwall.com/lists/oss-security/2017/04/18/5

I already knew this wouldn't be the end of the story as some other
terminal emulators exhibited suspicious behavior when targeted with
streams of unusual escape sequences involving large or negative integer
parameters.  I sent the following to the distros list on April 17,
presented here with updates reflecting the current status.

[continues]

References:

https://www.openwall.com/lists/oss-security/2017/05/01/13

Recent exploit:

https://www.openwall.com/lists/oss-security/2021/05/17/1
Comment 1 Pedro Sampaio 2021-05-17 18:44:49 UTC 
Created mrxvt tracking bugs for this issue:

Affects: fedora-all [bug 1961359]


Created rxvt-unicode tracking bugs for this issue:

Affects: epel-all [bug 1961361]
Affects: fedora-all [bug 1961360]
Comment 2 Product Security DevOps Team 2021-05-17 20:33:44 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.