Ubuntu
vte package

  1. Bug #22052
  2. Comment #42

Comment 42 for bug 22052

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 30 Oct 2005 15:28:59 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: exploit via escape sequences?

--Dxnq1zWXvFF0Q93v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Well if this allows arbitrary data to be fed into the file and later
be displayed by who or last then that data could be made to contain
escape sequences, and either hide other lines that would normally be
displayed (so you don't know someone has logged into the machine), or
output other malicious escape sequences (key rebindings, whatever).

Haven't tried it but it's a thought.

--=20
see shy jo

--Dxnq1zWXvFF0Q93v
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDZS0Ld8HHehbQuO8RAhORAJ4oFkQwu4bibtoCPXfdQz2fTMHLJACcCpSg
HQNfrzsCHODAfXQZNSX6U2M=
=2du+
-----END PGP SIGNATURE-----

--Dxnq1zWXvFF0Q93v--