Solar Designer <[email protected]> writes: > On Wed, Apr 03, 2024 at 11:03:17AM +1100, Matthew Fernandez wrote: >> On 4/1/24 08:30, Solar Designer wrote: >> >On Sat, Mar 30, 2024 at 04:37:48PM -0000, Tavis Ormandy wrote: >> >>It was also pointed out they submitted an odd PR to libarchive: >> >> >> >>https://github.com/libarchive/libarchive/pull/1609 >> >> >> >>In summary, they replaced calls to safe_fprintf() with fprintf() -- >> >>meaning control characters are no longer filtered from errors. That >> >>seems pretty minor, but now that we know they were in the business of >> >>obfuscating the presence of backdoors -- seems a bit suspicious. >> >> >> >>Regardless, that change has now been reverted: >> >> >> >>https://github.com/libarchive/libarchive/pull/2101 >> > >> >This does look minor indeed - not usable for large-scale attacks, and >> >libarchive is quite unique in that it even bothered to filter control >> >characters, whereas most command-line tools outputting filenames don't >> >bother. My guess is it could have been an early experiment to see >> >whether the project would accept PRs degrading security. >> > >> >That said, here's an excellent write-up by David Leadbeater on specific >> >ways that specific terminal emulators may be usefully attacked with >> >control sequences: >> > >> >https://dgl.cx/2023/09/ansi-terminal-security#vulnerabilities-using-known-replies >> >> Is the currently accepted wisdom that any application printing to >> stdout/stderr should take steps to avoid control characters in the >> output? > > First, let's limit this to cases where the control characters come from > potentially untrusted input to the program. Obviously, many programs > generate terminal escapes on their own (usually via a library), for > their intended functionality (colorized listings, TUIs, etc.) Some > programs pass potential control characters from their trusted input. > > Second, I think no, there isn't currently an established opinion on > whether programs should perform such filtering of untrusted input.
Lasse has put up an initial implementation for xz: https://github.com/tukaani-project/xz/pull/118. Comments are welcome. It was a TODO from a long time ago ;) We're not sure how much is overkill (or underkill) for this, especially given it gets harder when Unicode is involved. > [...] thanks, sam
signature.asc
Description: PGP signature
