[Secure-testing-team] Bug#787628: Bracketed paste is unsafe
Yuri D'Elia
wavexx at thregr.org
Wed Jun 3 13:56:28 UTC 2015
Package: rxvt-unicode
Version: 9.21-1
Severity: important
Tags: security upstream patch
This is not really news as this is an age-old attack with low impact:
rxvt-unicode does not filter end sequences when using bracketed paste mode. You
can try this by following this web page:
https://thejh.net/misc/website-terminal-copy-paste
and using the oh-my-zsh "safe-paste" plugin. Pasted data can escape the
bracketed mode, which might result in unsafe input.
This is confirmed by fetching urxvt source and seeing the definition of
rxvt_term::tt_paste in screen.C.
Patch attached.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (900, 'unstable'), (800, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rxvt-unicode-256color depends on:
ii base-passwd 3.5.37
ii libc6 2.19-18
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgcc1 1:5.1.1-8
ii libgdk-pixbuf2.0-0 2.31.4-2
ii libglib2.0-0 2.44.1-1
ii libperl5.20 5.20.2-6
ii libstartup-notification0 0.12-4
ii libx11-6 2:1.6.3-1
ii libxft2 2.3.2-1
ii libxrender1 1:0.9.8-1+b1
ii ncurses-term 5.9+20150516-2
Versions of packages rxvt-unicode-256color recommends:
ii fonts-vlgothic [fonts-japanese-gothic] 20141206-1
pn ttf-dejavu <none>
rxvt-unicode-256color suggests no packages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bracketed-paste-escape.diff
Type: text/x-diff
Size: 511 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20150603/89299e18/attachment.diff>
More information about the Secure-testing-team
mailing list