Bug 84587
Summary: | rxvt contains a number of vulnerabilities in escape sequences | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 2.1 | Reporter: | Mark J. Cox <mjc> |
Component: | rxvt | Assignee: | Harald Hoyer <harald> |
Status: | CLOSED ERRATA | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.1 | CC: | dickey, kmaraas |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-04-04 09:36:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mark J. Cox
2003-02-19 09:27:04 UTC
echo -e "\e]2;test\e[21t" seems to be a DOS attack ... ah, ok... \a was missing in the last sequence How is this different in any degree from a script which performs the same action without regard to what is stored in the title? None. ? the last thing? All that's being noted is that someone is able to store data someplace and later retrieve it. Just like improperly quoted shell scripts... well this scripts usually do not get executed, if you display a log file... (from apache or s.th. else) I find the comment reasonable only if the logfile contains other escape characters that the person wants to pass through "less -R". (People who simply cat binary files to their terminal have a variety of ways to affect things, including logging themselves off ;-) Most administrators I know use various tools like 'tail -f', 'more', and 'grep' when looking through log files - the first problem is of course that those log files should properly strip or encode escape characters. Apache does a good job of encoding access logs but not error logs, but this isn't just a problem with Apache logs. So given that an administrator may well be looking at externally influenced strings including escape characters we want to minimise the impact that those can have - removing the ability to create arbitrary files, removing a DOS (not a very exciting issue), and removing the window title reporting which could be used to trick the admin into executing arbitrary commands. This has been released now, right? An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2003-055.html |