home  bbs  files  messages ]

      ZZLI4416             linux.debian.bugs.dist             15094 messages      

[ previous | next | reply ]

[ list messages | list forums ]

  Msg # 14954 of 15094 on ZZLI4416, Monday 8-10-25, 9:01  
  From: VINCENT LEFEVRE  
  To: VINCENT LEFEVRE  
  Subj: Bug#1110769: xterm: segfault in ScrnWrit  
 XPost: linux.debian.maint.x 
 From: vincent@vinc17.net 
  
 Control: clone -1 -2 
 Control: retitle -2 xterm: allowC1Printable (-k8) does the opposite of what 
 it 
 says 
  
 On 2025-08-11 01:09:26 +0200, Vincent Lefevre wrote: 
 > An attacker could make an xterm crash by providing such a sequence 
 > in a text file. It is generally a bad idea to can untrusted and 
 > unfiltered data to a terminal, but here, the sequence is so simple 
 > that it could pass trough. Or it could be a mistake, as I've just 
 > done (I forgot to remove "-o -" from arguments); this was on several 
 > hundreds of KB of binary data, and I could reduce the testcase to 
 > just 3 bytes. 
  
 Well, the sequence should have been safe with my xterm settings, 
 because I had set allowC1Printable to true for this purpose. 
 The issue is that allowC1Printable does the opposite of what 
 it says. So data that should have been safe are actually unsafe 
 with "*allowC1Printable: true"! 
  
 Moreover, it seems that bug 839220 has reappeared. Both 
  
   xterm -k8 -hold -e printf "\\x1b\\xa5@\\xc3\\xa9\\n" 
   xterm +k8 -hold -e printf "\\x1b\\xa5@\\xc3\\xa9\\n" 
  
 show "€€" instead of "€", and UTF-8 encoding is disabled. 
  
 On 2025-08-11 01:37:32 +0200, Vincent Lefevre wrote: 
 > On 2025-08-11 01:09:26 +0200, Vincent Lefevre wrote: 
 > > I've just noticed that it is very easy to make xterm crash with 
 > > some binary data: 
 > > 
 > >   /usr/bin/xterm -e 'printf "\\x9a\\x85\\x08"; sleep 2' 
 > 
 > Something important: this depends on the xterm settings. 
 > One needs the following in the XTerm resources: 
 > 
 > *allowC1Printable:  true 
 > *VT100.reverseWrap: true 
  
 Here, the setting should be that C1 control characters are 
 regarded as control characters. The "*allowC1Printable: true" 
 is due to the bug mentioned above. One would have expected 
 "*allowC1Printable: false" to reproduce the bug. 
  
 [...] 
 > So, to restrict to ASCII: 
 > 
 >   /usr/bin/xterm -e 'printf "\\eZ\\n\\x08"; sleep 2' 
 > 
 > which still makes xterm segfault. And with this one, one just needs 
 > 
 > *VT100.reverseWrap: true 
  
 This one is not affected by the allowC1Printable bug. 
  
 -- 
 Vincent Lef€vre  - Web:  
 100% accessible validated (X)HTML - Blog:  
 Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon) 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2) 

[ list messages | list forums | previous | next | reply ]

search for:

328,104 visits
(c) 1994,  bbs@darkrealms.ca