On 16-11-07 20:49, Simon Lees wrote: > -------- Forwarded Message -------- > Subject: [oss-security] Re: CVE request: Escape Sequence Command > Execution vulnerability in Terminology 0.7 > Date: Mon, 7 Nov 2016 01:25:23 -0500 > From: cve-ass...@mitre.org > Reply-To: oss-secur...@lists.openwall.com > To: nico...@braud-santoni.eu > CC: cve-ass...@mitre.org, oss-secur...@lists.openwall.com, > secur...@debian.org, r...@kallisti.us > > > Terminology 0.7.0 suffers from a bug similar to CVE-2003-0063, where an > > attacker able to print character escape sequences can modify the window > > title and then insert it back in the terminal's input buffer, resulting > > in arbitrary terminal input, including code execution as a local user. > > > https://git.enlightenment.org/apps/terminology.git/commit/?id=b80bedc7c21ecffe99d8d142930db696eebdd6a5 > >> src/bin/termptyesc.c > > Use CVE-2015-8971.
For those who wonder, this issue has been fixed in Terminology 0.9.0 (and 0.9.1). I do hope this will speed up the process to update Terminology in Debian. -- Boris Faure Pointer Arithmetician
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel