[PATCH] CVE-2024-58251 - ANSI terminal escape sequence potential local denial of service
Valery Ushakov
uwe at NetBSD.org
Wed Aug 27 21:55:59 UTC 2025
On Wed, Aug 27, 2025 at 21:19:33 +0200, Roberto A. Foglietta wrote:
> Schweizer Gruyère-Käse um die Löcher, mehr Löcher als Käse! LOL
Amen. :)
This really needs a consistent uniform approach, where "tainted" input
can be uniformly escaped with something like vis(3) (see also vis(1)):
https://man.netbsd.org/vis.3 and the corresponding option needs to be
the default if the output is to the terminal, but then you need to
have two options for any such utility to turn the escaping on and off.
And then there's the C1 vs UTF-8 issue, etc...
Although, then people that use less(1) in raw mode to see the fancy
colors in the output of their favorite uitilitiies might get
"attacked", I guess :)
PS: If you think terminal commands in the output are bad, remember
that there was a whole window system that operated via escape
sequences written to stdout https://en.wikipedia.org/wiki/ManaGeR
%-)
-uwe
More information about the busybox
mailing list