Package: htop Version: 0.7-1 Severity: grave Tags: security Justification: user security hole
htop does not filter non-printable characters in process names. Test case: echo -e '#!/bin/sh\nwhile :;do :;done' > $(echo -ne '\e[2J\e[H') chmod a+x $(echo -ne '\e[2J\e[H') ../$(echo -ne '\e[2J\e[H') top changes the non-printable characters to question marks. htop prints them unchanged, and thus corrupts its own display. More subtle escape sequences could hide a process entirely, or do more malicious things depending on the capabilities of the terminal displaying htop. - Josh Triplett -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
