Package: rxvt-unicode Version: 9.21-1 Severity: important Tags: security upstream patch
This is not really news as this is an age-old attack with low impact: rxvt-unicode does not filter end sequences when using bracketed paste mode. You can try this by following this web page: https://thejh.net/misc/website-terminal-copy-paste and using the oh-my-zsh "safe-paste" plugin. Pasted data can escape the bracketed mode, which might result in unsafe input. This is confirmed by fetching urxvt source and seeing the definition of rxvt_term::tt_paste in screen.C. Patch attached. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (900, 'unstable'), (800, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages rxvt-unicode-256color depends on: ii base-passwd 3.5.37 ii libc6 2.19-18 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.5.2-4 ii libgcc1 1:5.1.1-8 ii libgdk-pixbuf2.0-0 2.31.4-2 ii libglib2.0-0 2.44.1-1 ii libperl5.20 5.20.2-6 ii libstartup-notification0 0.12-4 ii libx11-6 2:1.6.3-1 ii libxft2 2.3.2-1 ii libxrender1 1:0.9.8-1+b1 ii ncurses-term 5.9+20150516-2 Versions of packages rxvt-unicode-256color recommends: ii fonts-vlgothic [fonts-japanese-gothic] 20141206-1 pn ttf-dejavu <none> rxvt-unicode-256color suggests no packages.
--- src/screen.C.Orig 2015-06-03 14:56:51.698258870 +0200 +++ src/screen.C 2015-06-03 15:51:27.213488209 +0200 @@ -2706,8 +2706,17 @@ data[i] = C0_CR; if (priv_modes & PrivMode_BracketPaste) + { tt_printf ("\x1b[200~"); + /* filter end sequence from the input data */ + while (char* p = (char*)memmem (data, len, "\x1b[201~", 6)) + { + len -= 6; + memmove (p, (p + 6), len - (p - data)); + } + } + tt_write (data, len); if (priv_modes & PrivMode_BracketPaste)