Re: xterm terminal crash due to malicious character sequences in file name

[Thomas Dickey <dickey () his com>]

On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote:
> The following makes the xterm terminal crash
>
>   touch "$(printf "file\e[H\e[c\n\b")"
>   gunzip file*
>
> due to malicious character sequences in the file name and a bug in
> xterm. Same issue with bunzip2 instead of gunzip.
>
> Note that in practice, such a file name is not necessarily created by
> the end user who runs gunzip. It may come from a downloaded archive
> or from another user on a shared machine.
>
> Is this regarded as a vulnerability, in particular due to the loss of
> the shell session and associated data (which cannot be recovered)?

Vincent omitted his custom configuration (reverseWrap), which affects the
number of users affected.
 
> Which is or are the culprit(s)?
>   * xterm itself (note that it is also possible to make some recent
>     xterm versions crash without these usual escape sequences);
>   * gzip and bzip2, which should sanitize the output to the terminal
>     (like many other utilities already do nowadays);
>   * the file system, which should not allow the creation of such
>     file names (I don't know what POSIX says exactly)?
>
> FYI, I've just reported bugs:
>
>   https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip
>   https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2
>
> (I had also reported 2 bugs against xterm related to its crash
> in the Debian BTS.)

Dereferencing a null pointer:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769

(no buffer overflows, etc).

-- 
Thomas E. Dickey <dickey () invisible-island net>
https://invisible-island.net

Attachment: signature.asc
Description: