Re: escaping terminal control characters (was Re: backdoor in upstream xz/liblzma leading to ssh server compromise)

[Sam James <sam () gentoo org>]

Solar Designer <solar () openwall com> writes:

> On Wed, Apr 03, 2024 at 11:03:17AM +1100, Matthew Fernandez wrote:
> > On 4/1/24 08:30, Solar Designer wrote:
> > > On Sat, Mar 30, 2024 at 04:37:48PM -0000, Tavis Ormandy wrote:
> > > > It was also pointed out they submitted an odd PR to libarchive:
> > > >
> > > > https://github.com/libarchive/libarchive/pull/1609
> > > >
> > > > In summary, they replaced calls to safe_fprintf() with fprintf() --
> > > > meaning control characters are no longer filtered from errors. That
> > > > seems pretty minor, but now that we know they were in the business of
> > > > obfuscating the presence of backdoors -- seems a bit suspicious.
> > > >
> > > > Regardless, that change has now been reverted:
> > > >
> > > > https://github.com/libarchive/libarchive/pull/2101
> > >
> > > This does look minor indeed - not usable for large-scale attacks, and
> > > libarchive is quite unique in that it even bothered to filter control
> > > characters, whereas most command-line tools outputting filenames don't
> > > bother.  My guess is it could have been an early experiment to see
> > > whether the project would accept PRs degrading security.
> > >
> > > That said, here's an excellent write-up by David Leadbeater on specific
> > > ways that specific terminal emulators may be usefully attacked with
> > > control sequences:
> > >
> > > https://dgl.cx/2023/09/ansi-terminal-security#vulnerabilities-using-known-replies
> >
> > Is the currently accepted wisdom that any application printing to 
> > stdout/stderr should take steps to avoid control characters in the 
> > output?
>
> First, let's limit this to cases where the control characters come from
> potentially untrusted input to the program.  Obviously, many programs
> generate terminal escapes on their own (usually via a library), for
> their intended functionality (colorized listings, TUIs, etc.)  Some
> programs pass potential control characters from their trusted input.
>
> Second, I think no, there isn't currently an established opinion on
> whether programs should perform such filtering of untrusted input.

Lasse has put up an initial implementation for xz:
https://github.com/tukaani-project/xz/pull/118.

Comments are welcome. It was a TODO from a long time ago ;)

We're not sure how much is overkill (or underkill) for this, especially
given it gets harder when Unicode is involved.

> [...]

thanks,
sam

Attachment: signature.asc
Description: