From: Andreas Schwab <schwab@linux-m68k.org>
To: "Randall S. Becker" <rsbecker@nexbridge.com>
Cc: "'Jonathan Nieder'" <jrnieder@gmail.com>,
"'Salvatore Bonaccorso'" <carnil@debian.org>,
<889680@bugs.debian.org>, <git@vger.kernel.org>
Subject: Re: git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands
Date: Wed, 07 Feb 2018 17:52:45 +0100 [thread overview]
Message-ID: <871shwpwrm.fsf@linux-m68k.org> (raw)
In-Reply-To: <00b601d39f9d$7a40b820$6ec22860$@nexbridge.com> (Randall S. Becker's message of "Tue, 6 Feb 2018 17:54:37 -0500")
On Feb 06 2018, "Randall S. Becker" <rsbecker@nexbridge.com> wrote:
> What I don't know - and it's not explicitly in the CVE - is just how many
> other terminal types with similar vulnerabilities are out there, but I'm
> suspecting it's larger than one would guess - mostly, it seems like this
> particular sequence is intended to be used for writing status line output
> (line 25?) instead of sticking it in a prompt. This can be used prettifies a
> lengthy bash prompt to display the current branch and repository at the
> bottom of the screen instead of in the inline prompt, but that's the user's
> choice and not something git has to deal with. There were some green-screen
> terminals with other weird ESC sequences back in the day that could really
> get into trouble with this, including loading/executing programs in terminal
> memory via output - really. I'm sure it seemed like a good idea at the time,
> but I can see how it could have been used for evil.
Do you also want to block "+++AT"? :-)
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
next prev parent reply other threads:[~2018-02-07 16:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <151785928011.30076.5964248840190566119.reportbug@eldamar.local>
2018-02-05 20:43 ` git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands Jonathan Nieder
2018-02-06 22:54 ` Randall S. Becker
2018-02-07 16:52 ` Andreas Schwab [this message]
2018-02-07 17:15 ` Randall S. Becker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871shwpwrm.fsf@linux-m68k.org \
--to=schwab@linux-m68k.org \
--cc=889680@bugs.debian.org \
--cc=carnil@debian.org \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=rsbecker@nexbridge.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).