Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]

To: debian-security@lists.debian.org
Subject: Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 19 Apr 2004 09:32:47 -0700
Message-id: <[🔎] 20040419163247.GM31523@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20040419160851.GA27171@kontryhel.haltyr.dyndns.org>
References: <[🔎] 200404172216.11138.jluehr@gmx.net> <[🔎] 20040418165633.GW12830@alcor.net> <[🔎] 200404182047.16630.jluehr@gmx.net> <[🔎] 20040418185821.GB12830@alcor.net> <[🔎] 20040419160851.GA27171@kontryhel.haltyr.dyndns.org>

On Mon, Apr 19, 2004 at 06:08:51PM +0200, Jan Minar wrote:

> On Sun, Apr 18, 2004 at 11:58:21AM -0700, Matt Zimmerman wrote:
> > untrusted source.  This is a fundamental Unix feature (or flaw).  Terminal
> > control sequences may be contained in the data.
> 
> I've read this [1]analysis by by H D Moore.  No matter how convenient
> the escape sequences that allow injecting of arbitrary data as-if typed
> by the user might be, they should go, and they should go now.

Yes, I agree.  Patches and bug reports, where appropriate, are welcome.
These are the real bugs, not Apache's.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
  - From: Jan Minar <jjminar@fastmail.fm>

References:
- CAN-2003-0020?
  - From: Jan Lühr <jluehr@gmx.net>
- Re: CAN-2003-0020?
  - From: Matt Zimmerman <mdz@debian.org>
- Re: CAN-2003-0020?
  - From: Jan Lühr <jluehr@gmx.net>
- Re: CAN-2003-0020?
  - From: Matt Zimmerman <mdz@debian.org>
- Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
  - From: Jan Minar <jjminar@fastmail.fm>

Prev by Date: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
Next by Date: Re: [SECURITY] [DSA 479-2] New Linux 2.4.18 packages fix local root exploit (i386)
Previous by thread: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
Next by thread: Re: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
Index(es):
- Date
- Thread