From: "Randall S. Becker" <rsbecker@nexbridge.com>
To: "'Andreas Schwab'" <schwab@linux-m68k.org>
Cc: "'Jonathan Nieder'" <jrnieder@gmail.com>,
"'Salvatore Bonaccorso'" <carnil@debian.org>,
<889680@bugs.debian.org>, <git@vger.kernel.org>
Subject: RE: git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands
Date: Wed, 7 Feb 2018 12:15:00 -0500 [thread overview]
Message-ID: <001f01d3a037$3296deb0$97c49c10$@nexbridge.com> (raw)
In-Reply-To: <871shwpwrm.fsf@linux-m68k.org>
On February 7, 2018 11:53 AM, Andreas Schwab wrote:
> On Feb 06 2018, "Randall S. Becker" <rsbecker@nexbridge.com> wrote:
>
> > What I don't know - and it's not explicitly in the CVE - is just how
> > many other terminal types with similar vulnerabilities are out there,
> > but I'm suspecting it's larger than one would guess - mostly, it seems
> > like this particular sequence is intended to be used for writing
> > status line output (line 25?) instead of sticking it in a prompt. This
> > can be used prettifies a lengthy bash prompt to display the current
> > branch and repository at the bottom of the screen instead of in the
> > inline prompt, but that's the user's choice and not something git has
> > to deal with. There were some green-screen terminals with other weird
> > ESC sequences back in the day that could really get into trouble with
> > this, including loading/executing programs in terminal memory via
> > output - really. I'm sure it seemed like a good idea at the time, but I
can see
> how it could have been used for evil.
>
> Do you also want to block "+++AT"? :-)
Oh dear. Oh dear. You *do* know that actually could be bad. I wonder how
many git users are still using dial-up to clone/push. Of course, they would
probably not even see this message after trying to download it.
Chuckles,
Randall
-- Brief whoami:
NonStop developer since approximately 211288444200000000
UNIX developer since approximately 421664400
-- In my real life, I talk too much.
prev parent reply other threads:[~2018-02-07 17:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <151785928011.30076.5964248840190566119.reportbug@eldamar.local>
2018-02-05 20:43 ` git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands Jonathan Nieder
2018-02-06 22:54 ` Randall S. Becker
2018-02-07 16:52 ` Andreas Schwab
2018-02-07 17:15 ` Randall S. Becker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001f01d3a037$3296deb0$97c49c10$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=889680@bugs.debian.org \
--cc=carnil@debian.org \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=schwab@linux-m68k.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).