Jean Louis <bugs@gnu.support> writes:
> * Maxim Nikulin <maniku...@gmail.com> [2020-11-10 19:31]: >> 2020-11-10 Greg Minshall wrote: >> > >> > i would guess >> > using 'cat -v' to read e-mail is 100% safe. even throwing in >> > uudecode(1), or whatever is needed to decode base64, (and then piping >> > through 'cat -v', of course ), it's probably still safe. >> >> Please, check that you have at least updated tmux before applying such >> "safe" handler: https://www.openwall.com/lists/oss-security/2020/11/05/3 The >> news are too recent to not mention the link in such context. >> >> The sour story is that it is unsafe to feed non-trusted files directly to >> terminal. A filter against control sequences is required. > > Is there anyway to disable control sequences? Than cat can be aliased. It should be noted that this vulnerability is a buffer overflow exploit which ASLR effectively mitigates. This doesn't mean that it isn't a serious bug in tmux, but it does mean that unless you have disabled ASLR, there is no known exploit (i.e. it is only theoretical). Given the popularity of tmux, I suspect it will be patched and a new version released fairly quickly. I guess this does highlight the point that *any* data from an external source can potentially be a threat. You cannot eliminate the risks, only manage them down to an acceptable level. What is acceptable will vary for each user. -- Tim Cross