> Well if this allows arbitrary data to be fed into the file and later
> be displayed by who or last then that data could be made to contain
> escape sequences, and either hide other lines that would normally be
> displayed (so you don't know someone has logged into the machine), or
> output other malicious escape sequences (key rebindings, whatever).
I think such things are considered terminal emulator bugs these days.
(Which makes sense given that we can't fix head/tail/cat/...)
Message-ID: <email address hidden>
Date: Sun, 30 Oct 2005 21:55:23 +0100
From: Florian Weimer <email address hidden>
To: Joey Hess <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#329156: exploit via escape sequences?
* Joey Hess:
> Well if this allows arbitrary data to be fed into the file and later
> be displayed by who or last then that data could be made to contain
> escape sequences, and either hide other lines that would normally be
> displayed (so you don't know someone has logged into the machine), or
> output other malicious escape sequences (key rebindings, whatever).
I think such things are considered terminal emulator bugs these days.
(Which makes sense given that we can't fix head/tail/cat/...)