xterm terminal crash due to malicious character sequences in file name

[Vincent Lefevre <vincent () vinc17 net>]

The following makes the xterm terminal crash

  touch "$(printf "file\e[H\e[c\n\b")"
  gunzip file*

due to malicious character sequences in the file name and a bug in
xterm. Same issue with bunzip2 instead of gunzip.

Note that in practice, such a file name is not necessarily created by
the end user who runs gunzip. It may come from a downloaded archive
or from another user on a shared machine.

Is this regarded as a vulnerability, in particular due to the loss of
the shell session and associated data (which cannot be recovered)?

Which is or are the culprit(s)?
  * xterm itself (note that it is also possible to make some recent
    xterm versions crash without these usual escape sequences);
  * gzip and bzip2, which should sanitize the output to the terminal
    (like many other utilities already do nowadays);
  * the file system, which should not allow the creation of such
    file names (I don't know what POSIX says exactly)?

FYI, I've just reported bugs:

  https://debbugs.gnu.org/cgi/bugreport.cgi?bug=79231 for gzip
  https://sourceware.org/bugzilla/show_bug.cgi?id=33276 for bzip2

(I had also reported 2 bugs against xterm related to its crash
in the Debian BTS.)

-- 
Vincent Lefèvre <vincent () vinc17 net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)