[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository

Jason A. Donenfeld 1890286 at bugs.launchpad.net
Wed Aug 12 15:01:39 UTC 2020 

I'm not convinced that really cuts it. Namely, from the diff:

-        print(" %s" % (info["description"] or ""))
+        # strip ANSI escape sequences
+        description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]",
+                             "", info["description"] or "")
+
+        print(" %s" % description)

There are sequences that don't get filtered by that. Aside from the
usual things like \r or \b, it looks like https://man7.org/linux/man-
pages/man4/console_codes.4.html lists a few codes that defy it too.
While that diff above might be the "stackoverflow answer", it doesn't
seem complete.

Instead, why not just adopt a whitelist policy? Only allow visible and
space characters, or something like that.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1890286

Title:
  ansi escape sequence injection in add-apt-repository

Status in software-properties package in Ubuntu:
  Fix Released

Bug description:
  This was reported to oss-security and to security at ubuntu.com, but I
  figure I should make a real bug report, as otherwise it'll probably be
  missed. Original post from https://www.openwall.com/lists/oss-
  security/2020/08/03/1 follows below.

  --

  Hi,

  I've found a rather low grade concern: I'm able to inject ANSI escape
  sequences into PPA descriptions on Launchpad, and then have them
  rendered by add-apt-repository *before* the user consents to actually
  adding that repository. There might be some sort of trust barrier
  issue with that. This could be used to clear the screen and imitate a
  fresh bash prompt, upload files, dump the current screen to a file, or
  other classic shenanigans, well chronicled in the archives of oss-sec.

  PoC time -- I'm using this "feature" for good at the moment to
  announce the deprecation in bold text of a PPA that I maintain:
  https://data.zx2c4.com/add-apt-repository-ansi-injection.png

  The proper fix to this is likely to do sanitization on the
  add-apt-repository side.

  Regards,
  Jason

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions

More information about the foundations-bugs mailing list