Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1423851lqm;
        Thu, 2 May 2024 14:36:43 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWih6qmRx/E7/Nvui8GjmWx2m4f5Dt2jMsObsQbinOuksGlbH6B2H34cY5bKaWnLSaC/yY/um9USosIhebmzyB7Uwoyz9PhLAeQJD/rCA==
X-Google-Smtp-Source: AGHT+IHJxUAes+ELOLDc8MUS+Y/Zncat7GmKXmUFCUH97wiJVgMIZyWf8ph58CMalz4Ii2D3j8CV
X-Received: by 2002:a81:6d05:0:b0:61a:bfab:8328 with SMTP id i5-20020a816d05000000b0061abfab8328mr866363ywc.11.1714685803270;
        Thu, 02 May 2024 14:36:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1714685803; cv=none;
        d=google.com; s=arc-20160816;
        b=Z7eaXXtvgLUZy34wVxqKvivjDRqz16Cbz1wIPd0XZjPhLbI+yd2wwLuouOMIE9mKIs
         uZGxwhG0QMcUnmTKMadGe3dnYd/bgv1Ujg2wO+1dW6kMuvt7yaLWmKVp4A9TDTeqRrup
         kXefMMetokHT3UY8y1NopYijTkEdVF/0YPeOlN8ZPn4YXoiMed0yiXvVpBIrkPwq81ny
         bimoZoXLMRMfpWsZgb9StJRAz3hMxW1JbO/mlTQBlgKBj3+K1/KqnlIMReJPMXBRlQ8q
         eh5/g+C+atrWqBiF83wIoX4oRDEhS0JJ7cI1MIVfM+xSMlryd8y74Q5q4vQ3zbWM9QBp
         UCPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:message-id:date:user-agent:references
         :organization:in-reply-to:cc:to:from:delivered-to:delivered-to
         :reply-to:list-id:list-subscribe:list-unsubscribe:list-help
         :list-post:precedence:mailing-list;
        bh=UIQvoI8TCLdHpqgK9NijIgbb/z36/CI2fMZcoNt8PMQ=;
        fh=jUFAIdBGL787T+5b5tE/UdiJbr7yl1vBQUx0skO86Kc=;
        b=GYp5IKTefF/i1/jVgye4CExumVU4aPPY3Tw68D9nEhAd/mIpzR5KV7ueTLaNgPYAQD
         K/WfJZFzOf9Q96cFGHMbzjGbIwyDSrhlef0Lw4e73Rnim1aOjijeUNMxOQg7XYA2e4eS
         W4Cqfy3Owvie34aAR9g5rqkEgx2+vdVOnsG+BRwSwKIVvgpylh7qiDpe69lkY5uD9fiR
         H/LV5C4AcLaXMc5oeZpaDXWWpuHKuKmYLtWLWvikzgr5pzFCFiN0/5b4WgCQhXaCHaO5
         +/iwLyZIFBIL8FwmQUiGTB9qtbtlMT69XoY8zujAJQ3U/h18Ta8Rhc9wcrNrD9Rm9aF9
         5Ycw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30114-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30114-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gentoo.org
Return-Path: <oss-security-return-30114-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id b1-20020ac87fc1000000b0043abd5b22a8si1964228qtk.300.2024.05.02.14.36.42
        for <linux.lists.archive@gmail.com>;
        Thu, 02 May 2024 14:36:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30114-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30114-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30114-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gentoo.org
Received: (qmail 23950 invoked by uid 550); 2 May 2024 21:36:19 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 20019 invoked from network); 2 May 2024 21:35:20 -0000
From: Sam James <sam@gentoo.org>
To: Solar Designer <solar@openwall.com>
Cc: oss-security@lists.openwall.com
In-Reply-To: <20240403205835.GA12974@openwall.com> (Solar Designer's message
	of "Wed, 3 Apr 2024 22:58:35 +0200")
Organization: Gentoo
References: <20240329155126.kjjfduxw2yrlxgzm@awork3.anarazel.de>
	<ZgcOVnk5hCVkDUt/@ycc.fr> <uu9f4s$oga$2@ciao.gmane.io>
	<20240331213023.GA22787@openwall.com>
	<cd985494-7e02-ab46-785d-78ba6eabae4d@gmail.com>
	<20240403205835.GA12974@openwall.com>
User-Agent: mu4e 1.12.4; emacs 30.0.50
Date: Thu, 02 May 2024 22:35:02 +0100
Message-ID: <87o79nlwxl.fsf@gentoo.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Subject: Re: [oss-security] escaping terminal control characters (was Re:
 backdoor in upstream xz/liblzma leading to ssh server compromise)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Solar Designer <solar@openwall.com> writes:

> On Wed, Apr 03, 2024 at 11:03:17AM +1100, Matthew Fernandez wrote:
>> On 4/1/24 08:30, Solar Designer wrote:
>> >On Sat, Mar 30, 2024 at 04:37:48PM -0000, Tavis Ormandy wrote:
>> >>It was also pointed out they submitted an odd PR to libarchive:
>> >>
>> >>https://github.com/libarchive/libarchive/pull/1609
>> >>
>> >>In summary, they replaced calls to safe_fprintf() with fprintf() --
>> >>meaning control characters are no longer filtered from errors. That
>> >>seems pretty minor, but now that we know they were in the business of
>> >>obfuscating the presence of backdoors -- seems a bit suspicious.
>> >>
>> >>Regardless, that change has now been reverted:
>> >>
>> >>https://github.com/libarchive/libarchive/pull/2101
>> >
>> >This does look minor indeed - not usable for large-scale attacks, and
>> >libarchive is quite unique in that it even bothered to filter control
>> >characters, whereas most command-line tools outputting filenames don't
>> >bother.  My guess is it could have been an early experiment to see
>> >whether the project would accept PRs degrading security.
>> >
>> >That said, here's an excellent write-up by David Leadbeater on specific
>> >ways that specific terminal emulators may be usefully attacked with
>> >control sequences:
>> >
>> >https://dgl.cx/2023/09/ansi-terminal-security#vulnerabilities-using-kno=
wn-replies
>>=20
>> Is the currently accepted wisdom that any application printing to=20
>> stdout/stderr should take steps to avoid control characters in the=20
>> output?
>
> First, let's limit this to cases where the control characters come from
> potentially untrusted input to the program.  Obviously, many programs
> generate terminal escapes on their own (usually via a library), for
> their intended functionality (colorized listings, TUIs, etc.)  Some
> programs pass potential control characters from their trusted input.
>
> Second, I think no, there isn't currently an established opinion on
> whether programs should perform such filtering of untrusted input.

Lasse has put up an initial implementation for xz:
https://github.com/tukaani-project/xz/pull/118.

Comments are welcome. It was a TODO from a long time ago ;)

We're not sure how much is overkill (or underkill) for this, especially
given it gets harder when Unicode is involved.

> [...]

thanks,
sam

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iOUEARYKAI0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCZjQHBl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB
NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MA8cc2FtQGdlbnRv
by5vcmcACgkQc4QJ9SDfkZCa7AEAsSKiopElCyfDYKHncB3DIJg4KWgJzCqZGOwP
RqqdZ1IBAJg6o9fKNSHXQP5P7HC6pK2vhzuD1ujHsbJ2fzPtBAME
=gKxB
-----END PGP SIGNATURE-----
--=-=-=--