If a terminal escape sequence is longer than 4096 characters
a stack overflow occurs in escaped_command.
It is unlikely that this happens and I cannot consider this a
security issue. First of all, if an attacker can send terminal
escape sequences, it would be probably easier to send input to
a running terminal. Or open files with hexedit for manipulation
anyway.
Also the attacker is limited to digits in their ASCII form
and an arbitrary byte followed by a \0. It's easy to crash the
program, but very hard to inject a useful ROP sequence.
It should still be fixed though, because hexedit allows the
execution of child processes (due to man support) and it's a
theoretical stability issue.
How to repeat: Enter ^[ (ctrl + [), [, and then > 4096 digits.
If a terminal escape sequence is longer than 4096 characters a stack overflow occurs in escaped_command.
It is unlikely that this happens and I cannot consider this a security issue. First of all, if an attacker can send terminal escape sequences, it would be probably easier to send input to a running terminal. Or open files with hexedit for manipulation anyway.
Also the attacker is limited to digits in their ASCII form and an arbitrary byte followed by a \0. It's easy to crash the program, but very hard to inject a useful ROP sequence.
It should still be fixed though, because hexedit allows the execution of child processes (due to man support) and it's a theoretical stability issue.
How to repeat: Enter ^[ (ctrl + [), [, and then > 4096 digits.
Signed-off-by: Tobias Stoeckmann tobias@stoeckmann.org