ansi escape sequence injection in add-apt-repository
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
software-properties (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This was reported to oss-security and to <email address hidden>, but I figure I should make a real bug report, as otherwise it'll probably be missed. Original post from https:/
--
Hi,
I've found a rather low grade concern: I'm able to inject ANSI escape
sequences into PPA descriptions on Launchpad, and then have them
rendered by add-apt-repository *before* the user consents to actually
adding that repository. There might be some sort of trust barrier
issue with that. This could be used to clear the screen and imitate a
fresh bash prompt, upload files, dump the current screen to a file, or
other classic shenanigans, well chronicled in the archives of oss-sec.
PoC time -- I'm using this "feature" for good at the moment to
announce the deprecation in bold text of a PPA that I maintain:
https:/
The proper fix to this is likely to do sanitization on the
add-apt-repository side.
Regards,
Jason
Looks like this has come up before in other utilities and was fixed, such as https:/ /bugs.launchpad .net/ubuntu/ +source/ base-files/ +bug/1649352 .