Hi, Could you elaborate which codes in that manpage you feel are dangerous and are actually implemented by the common terminals? The old screendump and window title codes were disabled long ago, I'm not sure any of the others are anything other than a nuisance.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to software-properties in Ubuntu. https://bugs.launchpad.net/bugs/1890286 Title: ansi escape sequence injection in add-apt-repository Status in software-properties package in Ubuntu: Fix Released Bug description: This was reported to oss-security and to secur...@ubuntu.com, but I figure I should make a real bug report, as otherwise it'll probably be missed. Original post from https://www.openwall.com/lists/oss- security/2020/08/03/1 follows below. -- Hi, I've found a rather low grade concern: I'm able to inject ANSI escape sequences into PPA descriptions on Launchpad, and then have them rendered by add-apt-repository *before* the user consents to actually adding that repository. There might be some sort of trust barrier issue with that. This could be used to clear the screen and imitate a fresh bash prompt, upload files, dump the current screen to a file, or other classic shenanigans, well chronicled in the archives of oss-sec. PoC time -- I'm using this "feature" for good at the moment to announce the deprecation in bold text of a PPA that I maintain: https://data.zx2c4.com/add-apt-repository-ansi-injection.png The proper fix to this is likely to do sanitization on the add-apt-repository side. Regards, Jason To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp