oss-sec mailing list archives
Re: s/party/hack like it's 1999
From: David Holland <dholland-oss-security () netbsd org>
Date: Mon, 21 Sep 2015 16:43:46 +0000
On Sun, Sep 20, 2015 at 06:26:31AM +0300, Solar Designer wrote:
Note that all that was needed for this to happen was for a stray C2 byte from one writer to get injected just before the character-final 9B byte of a multibyte character from another writer. I specifically chose my example so that both writers output data which is well-formed and printable UTF-8, but that was not necessary. Since I see no reasonable application-side mitigation for this, IYeah. A user's mitigation may be to avoid running multiple programs at a time on a UTF-8 terminal. E.g. running "ps &" appears unsafe (although is indeed unlikely to actually be used in a successful attack), even if "ps" replaces control characters with question marks.
I have been arguing for years (but without success) that vt bomb injection needs to be blocked in the tty driver. This problem (corruption of concurrent UTF-8 streams) needs to be too, as a matter of correctness and not even security. You can stty +tostop, but that won't really help very much. Sigh. -- David A. Holland dholland () netbsd org
Current thread:
- s/party/hack like it's 1999 up201407890 (Sep 17)
- Re: s/party/hack like it's 1999 Manuel Gómez (Sep 17)
- Re: s/party/hack like it's 1999 Solar Designer (Sep 19)
- Re: s/party/hack like it's 1999 Rich Felker (Sep 19)
- Re: s/party/hack like it's 1999 Solar Designer (Sep 19)
- Re: s/party/hack like it's 1999 David Holland (Sep 21)
- Re: s/party/hack like it's 1999 Greg KH (Sep 21)
- Re: s/party/hack like it's 1999 Florian Weimer (Sep 21)
- Re: s/party/hack like it's 1999 David Holland (Sep 26)
- Re: s/party/hack like it's 1999 Daniel Micay (Sep 26)
- Re: s/party/hack like it's 1999 Rich Felker (Sep 29)
- Re: s/party/hack like it's 1999 Solar Designer (Sep 19)
- Re: s/party/hack like it's 1999 Manuel Gómez (Sep 17)
- Re: s/party/hack like it's 1999 up201407890 (Sep 18)