
oss-sec mailing list archives
Re: xterm terminal crash due to malicious character sequences in file name
From: Thomas Dickey <dickey () his com>
Date: Wed, 13 Aug 2025 15:09:46 -0400
On Wed, Aug 13, 2025 at 07:00:58PM +0200, Vincent Lefevre wrote:
The following makes the xterm terminal crash touch "$(printf "file\e[H\e[c\n\b")" gunzip file* due to malicious character sequences in the file name and a bug in xterm. Same issue with bunzip2 instead of gunzip. Note that in practice, such a file name is not necessarily created by the end user who runs gunzip. It may come from a downloaded archive or from another user on a shared machine. Is this regarded as a vulnerability, in particular due to the loss of the shell session and associated data (which cannot be recovered)?
Vincent omitted his custom configuration (reverseWrap), which affects the number of users affected.
Which is or are the culprit(s)? * xterm itself (note that it is also possible to make some recent xterm versions crash without these usual escape sequences); * gzip and bzip2, which should sanitize the output to the terminal (like many other utilities already do nowadays); * the file system, which should not allow the creation of such file names (I don't know what POSIX says exactly)? FYI, I've just reported bugs: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2 (I had also reported 2 bugs against xterm related to its crash in the Debian BTS.)
Dereferencing a null pointer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110769 (no buffer overflows, etc). -- Thomas E. Dickey <dickey () invisible-island net> https://invisible-island.net
Attachment:
signature.asc
Description:
Current thread:
- xterm terminal crash due to malicious character sequences in file name Vincent Lefevre (Aug 13)
- Re: xterm terminal crash due to malicious character sequences in file name Thomas Dickey (Aug 13)
- Re: xterm terminal crash due to malicious character sequences in file name Erik Auerswald (Aug 13)
- Re: xterm terminal crash due to malicious character sequences in file name Collin Funk (Aug 16)
- Re: xterm terminal crash due to malicious character sequences in file name Vincent Lefevre (Aug 16)
- Re: xterm terminal crash due to malicious character sequences in file name Solar Designer (Aug 16)
- Re: xterm terminal crash due to malicious character sequences in file name Erik Auerswald (Aug 17)
- Re: xterm terminal crash due to malicious character sequences in file name Vincent Lefevre (Aug 17)
- Re: xterm terminal crash due to malicious character sequences in file name David A. Wheeler (Aug 17)
- Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) Jacob Bachmeyer (Aug 18)
- Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) Simon McVittie (Aug 19)
- Re: blocking weird file names (was: xterm terminal crash due to malicious character sequences in file name) Ali Polatel (Aug 19)
- Re: xterm terminal crash due to malicious character sequences in file name Collin Funk (Aug 16)