Package: rxvt-unicode
Version: 9.21-1
Severity: important
Tags: security upstream patch
This is not really news as this is an age-old attack with low impact:
rxvt-unicode does not filter end sequences when using bracketed paste mode. You
can try this by following this web page:
https://thejh.net/misc/website-terminal-copy-paste
and using the oh-my-zsh "safe-paste" plugin. Pasted data can escape the
bracketed mode, which might result in unsafe input.
This is confirmed by fetching urxvt source and seeing the definition of
rxvt_term::tt_paste in screen.C.
Patch attached.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (900, 'unstable'), (800, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rxvt-unicode-256color depends on:
ii base-passwd 3.5.37
ii libc6 2.19-18
ii libfontconfig1 2.11.0-6.3
ii libfreetype6 2.5.2-4
ii libgcc1 1:5.1.1-8
ii libgdk-pixbuf2.0-0 2.31.4-2
ii libglib2.0-0 2.44.1-1
ii libperl5.20 5.20.2-6
ii libstartup-notification0 0.12-4
ii libx11-6 2:1.6.3-1
ii libxft2 2.3.2-1
ii libxrender1 1:0.9.8-1+b1
ii ncurses-term 5.9+20150516-2
Versions of packages rxvt-unicode-256color recommends:
ii fonts-vlgothic [fonts-japanese-gothic] 20141206-1
pn ttf-dejavu <none>
rxvt-unicode-256color suggests no packages.
--- src/screen.C.Orig 2015-06-03 14:56:51.698258870 +0200
+++ src/screen.C 2015-06-03 15:51:27.213488209 +0200
@@ -2706,8 +2706,17 @@
data[i] = C0_CR;
if (priv_modes & PrivMode_BracketPaste)
+ {
tt_printf ("\x1b[200~");
+ /* filter end sequence from the input data */
+ while (char* p = (char*)memmem (data, len, "\x1b[201~", 6))
+ {
+ len -= 6;
+ memmove (p, (p + 6), len - (p - data));
+ }
+ }
+
tt_write (data, len);
if (priv_modes & PrivMode_BracketPaste)
