Re: Thoughts on the standardization of Org

[Tim Cross]

Jean Louis <bugs@gnu.support> writes:

> * Maxim Nikulin <manikulin@gmail.com> [2020-11-10 19:31]:
>> 2020-11-10 Greg Minshall wrote:
>> >
>> > i would guess
>> > using 'cat -v' to read e-mail is 100% safe.  even throwing in
>> > uudecode(1), or whatever is needed to decode base64, (and then piping
>> > through 'cat -v', of course ), it's probably still safe.
>>
>> Please, check that you have at least updated tmux before applying such
>> "safe" handler: https://www.openwall.com/lists/oss-security/2020/11/05/3 The
>> news are too recent to not mention the link in such context.
>>
>> The sour story is that it is unsafe to feed non-trusted files directly to
>> terminal. A filter against control sequences is required.
>
> Is there anyway to disable control sequences? Than cat can be aliased.


It should be noted that this vulnerability is a buffer overflow exploit
which ASLR effectively mitigates. This doesn't mean that it isn't a
serious bug in tmux, but it does mean that unless you have disabled
ASLR, there is no known exploit (i.e. it is only theoretical). Given the
popularity of tmux, I suspect it will be patched and a new version
released fairly quickly.

I guess this does highlight the point that *any* data from an external
source can potentially be a threat. You cannot eliminate the risks, only
manage them down to an acceptable level. What is acceptable will vary
for each user.

--
Tim Cross