oss-sec mailing list archives

Re: xterm terminal crash due to malicious character sequences in file name


From: Thomas Dickey <dickey () his com>
Date: Wed, 13 Aug 2025 15:09:46 -0400

On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote:
The following makes the xterm terminal crash

  touch "$(printf "file\e[H\e[c\n\b")"
  gunzip file*

due to malicious character sequences in the file name and a bug in
xterm. Same issue with bunzip2 instead of gunzip.

Note that in practice, such a file name is not necessarily created by
the end user who runs gunzip. It may come from a downloaded archive
or from another user on a shared machine.

Is this regarded as a vulnerability, in particular due to the loss of
the shell session and associated data (which cannot be recovered)?

Vincent omitted his custom configuration (reverseWrap), which affects the
number of users affected.
 
Which is or are the culprit(s)?
  * xterm itself (note that it is also possible to make some recent
    xterm versions crash without these usual escape sequences);
  * gzip and bzip2, which should sanitize the output to the terminal
    (like many other utilities already do nowadays);
  * the file system, which should not allow the creation of such
    file names (I don't know what POSIX says exactly)?

FYI, I've just reported bugs:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip
  https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2

(I had also reported 2 bugs against xterm related to its crash
in the Debian BTS.)

Dereferencing a null pointer:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769

(no buffer overflows, etc).

-- 
Thomas E. Dickey <dickey () invisible-island net>
https://invisible-island.net

Attachment: signature.asc
Description:


Current thread: