[Bug 1890286] Re: ansi escape sequence injection into add-apt-repository
Jason A. Donenfeld
1890286 at bugs.launchpad.net
Tue Aug 4 13:39:38 UTC 2020
Looks like this has come up before in other utilities and was fixed,
such as https://bugs.launchpad.net/ubuntu/+source/base-
files/+bug/1649352 .
** Summary changed:
- ansi escape sequence injection into add-apt-repository
+ ansi escape sequence injection in add-apt-repository
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1890286
Title:
ansi escape sequence injection in add-apt-repository
Status in software-properties package in Ubuntu:
New
Bug description:
This was reported to oss-security and to security at ubuntu.com, but I
figure I should make a real bug report, as otherwise it'll probably be
missed. Original post from https://www.openwall.com/lists/oss-
security/2020/08/03/1 follows below.
--
Hi,
I've found a rather low grade concern: I'm able to inject ANSI escape
sequences into PPA descriptions on Launchpad, and then have them
rendered by add-apt-repository *before* the user consents to actually
adding that repository. There might be some sort of trust barrier
issue with that. This could be used to clear the screen and imitate a
fresh bash prompt, upload files, dump the current screen to a file, or
other classic shenanigans, well chronicled in the archives of oss-sec.
PoC time -- I'm using this "feature" for good at the moment to
announce the deprecation in bold text of a PPA that I maintain:
https://data.zx2c4.com/add-apt-repository-ansi-injection.png
The proper fix to this is likely to do sanitization on the
add-apt-repository side.
Regards,
Jason
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions
More information about the foundations-bugs
mailing list