You might be right that the remaining ones that slip through your regex
are mere "nuisance"s. But you know how those things go - one man's
nuisance is another man's vuln. Some of those, anyhow, are implemented
by the Linux console driver.
Why not just take the tried and true "safe" route, as
Hi,
Could you elaborate which codes in that manpage you feel are dangerous
and are actually implemented by the common terminals? The old screendump
and window title codes were disabled long ago, I'm not sure any of the
others are anything other than a nuisance.
--
You received this bug
I'm not convinced that really cuts it. Namely, from the diff:
-print(" %s" % (info["description"] or ""))
+# strip ANSI escape sequences
+description = re.sub(r"(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]",
+ "", info["description"] or "")
+
+print("
This bug was fixed in the package software-properties - 0.96.24.32.14
---
software-properties (0.96.24.32.14) bionic-security; urgency=medium
* SECURITY UPDATE: malicious repo could send ANSI sequences to terminal
(LP: #1890286)
- add-apt-repository: strip ANSI sequences
This bug was fixed in the package software-properties - 0.98.9.2
---
software-properties (0.98.9.2) focal-security; urgency=medium
* SECURITY UPDATE: malicious repo could send ANSI sequences to terminal
(LP: #1890286)
- add-apt-repository: strip ANSI sequences from the
Thanks Jason, please use CVE-2020-15709 for this issue.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15709
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1890286
Title:
ansi
Looks like this has come up before in other utilities and was fixed,
such as https://bugs.launchpad.net/ubuntu/+source/base-
files/+bug/1649352 .
** Summary changed:
- ansi escape sequence injection into add-apt-repository
+ ansi escape sequence injection in add-apt-repository
--
You received
