On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote: > The following makes the xterm terminal crash > > touch "$(printf "file\e[H\e[c\n\b")" > gunzip file* > > due to malicious character sequences in the file name and a bug in > xterm. Same issue with bunzip2 instead of gunzip. > > Note that in practice, such a file name is not necessarily created by > the end user who runs gunzip. It may come from a downloaded archive > or from another user on a shared machine. > > Is this regarded as a vulnerability, in particular due to the loss of > the shell session and associated data (which cannot be recovered)?
Vincent omitted his custom configuration (reverseWrap), which affects the number of users affected. > Which is or are the culprit(s)? > * xterm itself (note that it is also possible to make some recent > xterm versions crash without these usual escape sequences); > * gzip and bzip2, which should sanitize the output to the terminal > (like many other utilities already do nowadays); > * the file system, which should not allow the creation of such > file names (I don't know what POSIX says exactly)? > > FYI, I've just reported bugs: > > https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip > https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2 > > (I had also reported 2 bugs against xterm related to its crash > in the Debian BTS.) Dereferencing a null pointer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769 (no buffer overflows, etc). -- Thomas E. Dickey <[email protected]> https://invisible-island.net
signature.asc
Description: PGP signature
