[Bug 1649352] Re: http direct to terminals?

Dustin Kirkland  dustin.kirkland at gmail.com
Fri Dec 16 16:35:47 UTC 2016 

** Changed in: base-files (Ubuntu)
     Assignee: (unassigned) => Dustin Kirkland  (kirkland)

** Changed in: base-files (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1649352

Title:
  http direct to terminals?

Status in base-files package in Ubuntu:
  In Progress

Bug description:
  Hi Dustin,

  Some recent changes introduced what looks to be a serious problem:

  http://launchpadlibrarian.net/296647523/base-
  files_9.6ubuntu7_9.6ubuntu8.diff.gz

  -SERVER="https://motd.ubuntu.com"
  +# White space separated list of 0 to many news services
  +SERVER="http://motd.ubuntu.com"
  [...]
  +	if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$s" >"$NEWS" 2>"$ERR"; then
  +		echo
  +		# At most, 2 lines of at most 80 characters
  +		cat "$NEWS" | tail -n 2 | cut -c -80

  This allows any network man-in-the-middle attacker, DNS response
  forger, or BGP forger, to write 160 raw bytes directly to terminals.

  The previous version wasn't good (open for abuse by anyone who could
  trick one of the myriad x.509 Certificate Authorities to mis-issue a
  certificate) but this version is open for abuse by significantly more
  attackers.

  While most terminals are reasonably safe against outright
  maliciousness this has been a recurring exploitation theme for twenty
  years, and even what is "safe" for them to display could be wildly
  confusing to users unfamiliar with maliciously controlled terminals.
  (And users have wide tastes in terminals, some are fairly brittle.)

  cat(1) does not do any filtering for 'safe' display of arbitrary
  inputs. less(1) does, assuming -r is not in LESS environment variable
  or the less(1) command line. If you wish to keep the pipeline, perhaps
  tr(1)'s -d flag could be useful.

  On a related note, is there a reason why the motd.ubuntu.com server
  can't do HTTPS?

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1649352/+subscriptions

More information about the foundations-bugs mailing list