[Bug 1890286] Re: ansi escape sequence injection in add-apt-repository
Marc Deslauriers
1890286 at bugs.launchpad.net
Wed Aug 12 15:38:42 UTC 2020
Hi,
Could you elaborate which codes in that manpage you feel are dangerous
and are actually implemented by the common terminals? The old screendump
and window title codes were disabled long ago, I'm not sure any of the
others are anything other than a nuisance.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to software-properties in Ubuntu.
https://bugs.launchpad.net/bugs/1890286
Title:
ansi escape sequence injection in add-apt-repository
Status in software-properties package in Ubuntu:
Fix Released
Bug description:
This was reported to oss-security and to security at ubuntu.com, but I
figure I should make a real bug report, as otherwise it'll probably be
missed. Original post from https://www.openwall.com/lists/oss-
security/2020/08/03/1 follows below.
--
Hi,
I've found a rather low grade concern: I'm able to inject ANSI escape
sequences into PPA descriptions on Launchpad, and then have them
rendered by add-apt-repository *before* the user consents to actually
adding that repository. There might be some sort of trust barrier
issue with that. This could be used to clear the screen and imitate a
fresh bash prompt, upload files, dump the current screen to a file, or
other classic shenanigans, well chronicled in the archives of oss-sec.
PoC time -- I'm using this "feature" for good at the moment to
announce the deprecation in bold text of a PPA that I maintain:
https://data.zx2c4.com/add-apt-repository-ansi-injection.png
The proper fix to this is likely to do sanitization on the
add-apt-repository side.
Regards,
Jason
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions
More information about the foundations-bugs
mailing list