Jean Louis <bugs@gnu.support> writes:
> * Tim Cross <theophil...@gmail.com> [2020-11-11 01:30]: >> >> Jean Louis <bugs@gnu.support> writes: >> >> > * Maxim Nikulin <maniku...@gmail.com> [2020-11-10 19:31]: >> >> 2020-11-10 Greg Minshall wrote: >> >> > >> >> > i would guess >> >> > using 'cat -v' to read e-mail is 100% safe. even throwing in >> >> > uudecode(1), or whatever is needed to decode base64, (and then piping >> >> > through 'cat -v', of course ), it's probably still safe. >> >> >> >> Please, check that you have at least updated tmux before applying such >> >> "safe" handler: https://www.openwall.com/lists/oss-security/2020/11/05/3 >> >> The >> >> news are too recent to not mention the link in such context. >> >> >> >> The sour story is that it is unsafe to feed non-trusted files directly to >> >> terminal. A filter against control sequences is required. >> > >> > Is there anyway to disable control sequences? Than cat can be aliased. >> >> >> It should be noted that this vulnerability is a buffer overflow exploit >> which ASLR effectively mitigates. This doesn't mean that it isn't a >> serious bug in tmux, but it does mean that unless you have disabled >> ASLR, there is no known exploit (i.e. it is only theoretical). Given the >> popularity of tmux, I suspect it will be patched and a new version > > Do you know how to disable control sequences? No, I doubt you can as they are fairly fundamental to tmux operation. -- Tim Cross