Package: procps
Version: 3.3.17-5
Prior to version 4.0.0, procps did not escape process names it wrote to
standard output. This affects both top and pgrep.
Needless to say, this is dangerous. Under Linux, the process name is
an arbitrary sequence of non-zero bytes, which can include control
characters. Any user can mess with another user's terminal as soon as the
latter attempts to inspect running processes by setting a malicious name.
Even though the name is truncated, there is still enough room to cause
trouble.
To illustrate a few possibilities of abuse:
$ # Hide a misbehaving process from view.
$ printf '\033[A' >/proc/$$/comm
$ # Spoof the PID displayed by pgrep -l. This can be used to trick a user
$ # into killing the wrong process.
$ printf '\r123 sh' >/proc/$$/comm
$ # Same for top.
$ printf '\0337\033[5G123\0338sh' >/proc/$$/comm
This was fixed upstream in commit 91897e7d2c161e8819d1dd27b1c50c1fb93a4708.
Note that I am running a non-Debian kernel.
