[Secure-testing-team] Bug#787628: Bracketed paste is unsafe

Wed, 03 Jun 2015 07:00:53 -0700 

Package: rxvt-unicode
Version: 9.21-1
Severity: important
Tags: security upstream patch

This is not really news as this is an age-old attack with low impact:
rxvt-unicode does not filter end sequences when using bracketed paste mode. You
can try this by following this web page:

https://thejh.net/misc/website-terminal-copy-paste

and using the oh-my-zsh "safe-paste" plugin. Pasted data can escape the
bracketed mode, which might result in unsafe input.

This is confirmed by fetching urxvt source and seeing the definition of
rxvt_term::tt_paste in screen.C.

Patch attached.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (800, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages rxvt-unicode-256color depends on:
ii  base-passwd               3.5.37
ii  libc6                     2.19-18
ii  libfontconfig1            2.11.0-6.3
ii  libfreetype6              2.5.2-4
ii  libgcc1                   1:5.1.1-8
ii  libgdk-pixbuf2.0-0        2.31.4-2
ii  libglib2.0-0              2.44.1-1
ii  libperl5.20               5.20.2-6
ii  libstartup-notification0  0.12-4
ii  libx11-6                  2:1.6.3-1
ii  libxft2                   2.3.2-1
ii  libxrender1               1:0.9.8-1+b1
ii  ncurses-term              5.9+20150516-2

Versions of packages rxvt-unicode-256color recommends:
ii  fonts-vlgothic [fonts-japanese-gothic]  20141206-1
pn  ttf-dejavu                              <none>

rxvt-unicode-256color suggests no packages.

--- src/screen.C.Orig	2015-06-03 14:56:51.698258870 +0200
+++ src/screen.C	2015-06-03 15:51:27.213488209 +0200
@@ -2706,8 +2706,17 @@
       data[i] = C0_CR;
 
   if (priv_modes & PrivMode_BracketPaste)
+  {
     tt_printf ("\x1b[200~");
 
+    /* filter end sequence from the input data */
+    while (char* p = (char*)memmem (data, len, "\x1b[201~", 6))
+    {
+      len -= 6;
+      memmove (p, (p + 6), len - (p - data));
+    }
+  }
+
   tt_write (data, len);
 
   if (priv_modes & PrivMode_BracketPaste)

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team

Reply via email to