From: Andreas Schwab <schwab@linux-m68k.org>
To: "Randall S. Becker" <rsbecker@nexbridge.com>
Cc: "'Jonathan Nieder'" <jrnieder@gmail.com>,
"'Salvatore Bonaccorso'" <carnil@debian.org>,
<889680@bugs.debian.org>, <git@vger.kernel.org>
Subject: Re: git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands
Date: Wed, 07 Feb 2018 17:52:45 +0100 [thread overview]
Message-ID: <871shwpwrm.fsf@linux-m68k.org> (raw)
In-Reply-To: <00b601d39f9d$7a40b820$6ec22860$@nexbridge.com> (Randall S. Becker's message of "Tue, 6 Feb 2018 17:54:37 -0500")
On Feb 06 2018, "Randall S. Becker" <rsbecker@nexbridge.com> wrote:
> What I don't know - and it's not explicitly in the CVE - is just how many
> other terminal types with similar vulnerabilities are out there, but I'm
> suspecting it's larger than one would guess - mostly, it seems like this
> particular sequence is intended to be used for writing status line output
> (line 25?) instead of sticking it in a prompt. This can be used prettifies a
> lengthy bash prompt to display the current branch and repository at the
> bottom of the screen instead of in the inline prompt, but that's the user's
> choice and not something git has to deal with. There were some green-screen
> terminals with other weird ESC sequences back in the day that could really
> get into trouble with this, including loading/executing programs in terminal
> memory via output - really. I'm sure it seemed like a good idea at the time,
> but I can see how it could have been used for evil.
Do you also want to block "+++AT"? :-)
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."
next prev parent reply other threads:[~2018-02-07 16:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <151785928011.30076.5964248840190566119.reportbug@eldamar.local>
2018-02-05 20:43 ` git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands Jonathan Nieder
2018-02-06 22:54 ` Randall S. Becker
2018-02-07 16:52 ` Andreas Schwab [this message]
2018-02-07 17:15 ` Randall S. Becker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871shwpwrm.fsf@linux-m68k.org \
--to=schwab@linux-m68k.org \
--cc=889680@bugs.debian.org \
--cc=carnil@debian.org \
--cc=git@vger.kernel.org \
--cc=jrnieder@gmail.com \
--cc=rsbecker@nexbridge.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.