[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository

Launchpad Bug Tracker 1890286 at bugs.launchpad.net
Wed Aug 12 13:46:27 UTC 2020 

This bug was fixed in the package software-properties - 0.96.24.32.14

---------------
software-properties (0.96.24.32.14) bionic-security; urgency=medium

  * SECURITY UPDATE: malicious repo could send ANSI sequences to terminal
    (LP: #1890286)
    - add-apt-repository: strip ANSI sequences from the description.
    - CVE-2020-15709

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Fri, 07 Aug 2020
10:07:43 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1890286

Title:
  ansi escape sequence injection in add-apt-repository

Status in software-properties package in Ubuntu:
  Fix Released

Bug description:
  This was reported to oss-security and to security at ubuntu.com, but I
  figure I should make a real bug report, as otherwise it'll probably be
  missed. Original post from https://www.openwall.com/lists/oss-
  security/2020/08/03/1 follows below.

  --

  Hi,

  I've found a rather low grade concern: I'm able to inject ANSI escape
  sequences into PPA descriptions on Launchpad, and then have them
  rendered by add-apt-repository *before* the user consents to actually
  adding that repository. There might be some sort of trust barrier
  issue with that. This could be used to clear the screen and imitate a
  fresh bash prompt, upload files, dump the current screen to a file, or
  other classic shenanigans, well chronicled in the archives of oss-sec.

  PoC time -- I'm using this "feature" for good at the moment to
  announce the deprecation in bold text of a PPA that I maintain:
  https://data.zx2c4.com/add-apt-repository-ansi-injection.png

  The proper fix to this is likely to do sanitization on the
  add-apt-repository side.

  Regards,
  Jason

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions

More information about the foundations-bugs mailing list