Bug#1110769: xterm: segfault in ScrnWriteText on 3-byte binary data
Package: xterm
Version: 398-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
I've just noticed that it is very easy to make xterm crash with
some binary data:
/usr/bin/xterm -e 'printf "\x9a\x85\x08"; sleep 2'
The backtrace:
$ gdb /usr/bin/xterm core.2173502
[...]
Core was generated by `/usr/bin/xterm -e printf\ \"\\x9a\\x85\\x08\"\;\ sleep\ 2'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ScrnWriteText (xw=xw@entry=0x7f64cb324010, offset=offset@entry=0,
length=length@entry=36, flags=flags@entry=393216, cur_fg_bg=...)
at ../screen.c:925
warning: 925 ../screen.c: No such file or directory
(gdb) bt
#0 ScrnWriteText (xw=xw@entry=0x7f64cb324010, offset=offset@entry=0,
length=length@entry=36, flags=flags@entry=393216, cur_fg_bg=...)
at ../screen.c:925
#1 0x000055a713b46734 in WriteText (xw=xw@entry=0x7f64cb324010, offset=0,
length=length@entry=36) at ../util.c:1201
#2 0x000055a713aeb157 in dotext (xw=xw@entry=0x7f64cb324010,
charset=<optimized out>, buf=0x55a714df7d40, len=36) at ../charproc.c:7128
#3 0x000055a713af30af in doparsing (xw=xw@entry=0x7f64cb324010, c=99,
sp=<optimized out>) at ../charproc.c:3376
#4 0x000055a713afbe54 in VTparse (xw=xw@entry=0x7f64cb324010)
at ../charproc.c:6471
#5 0x000055a713afc0a9 in VTRun (xw=0x7f64cb324010) at ../charproc.c:9593
#6 0x000055a713adbb0a in main (argc=<optimized out>, argv=<optimized out>)
at ../main.c:3113
An attacker could make an xterm crash by providing such a sequence
in a text file. It is generally a bad idea to can untrusted and
unfiltered data to a terminal, but here, the sequence is so simple
that it could pass trough. Or it could be a mistake, as I've just
done (I forgot to remove "-o -" from arguments); this was on several
hundreds of KB of binary data, and I could reduce the testcase to
just 3 bytes.
-- System Information:
Debian Release: 13.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.7.12-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xterm depends on:
ii libc6 2.41-12
ii libfontconfig1 2.15.0-2.3
ii libfreetype6 2.13.3+dfsg-1
ii libice6 2:1.1.1-1
ii libtinfo6 6.5+20250216-2
ii libutempter0 1.2.1-4
ii libx11-6 2:1.8.12-1
ii libxaw7 2:1.0.16-1
ii libxext6 2:1.3.4-1+b3
ii libxft2 2.3.6-1+b4
ii libxinerama1 2:1.1.4-3+b4
ii libxmu6 2:1.1.3-3+b4
ii libxpm4 1:3.5.17-1+b3
ii libxt6t64 1:1.2.1-1.2+b2
ii xbitmaps 1.1.1-2.2
Versions of packages xterm recommends:
ii luit [luit] 2.0.20240910-1
ii x11-utils 7.7+7
Versions of packages xterm suggests:
pn xfonts-cyrillic <none>
-- no debconf information
--
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Reply to: