User: Password:
|
|
Subscribe / Log in / New account

I don't understand this one: poppler: code execution

I don't understand this one: poppler: code execution

Posted Aug 30, 2013 15:57 UTC (Fri) by raven667 (subscriber, #5198)
In reply to: I don't understand this one: poppler: code execution by debacle
Parent article: poppler: code execution

I don't think escape codes are a trick, they are the primary means to set colors, title bars, etc. and to claim VT100 or better emulation requires all sorts of features through escape codes so that any program which can output text to a terminal can also use those features. Some features in the terminal can involve running a command. In many cases this isn't a problem because any program you run from an interactive terminal runs with your permissions anyway so there is no need for any special security handling, it's just in this case where a program can output text from an untrustworthy source that will be interpreted by the terminal that isn't sanity checked where you can have a problem. We've had the same problem in the past with viewing logs which could contain escape codes in a terminal.


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds