Debian Bug report logs - #504144
htop: Does not filter non-printable characters in process names

version graph

Package: htop; Maintainer for htop is Eugene V. Lyubimkin <jackyf@debian.org>; Source for htop is src:htop.

Reported by: Josh Triplett <josh@joshtriplett.org>

Date: Sat, 1 Nov 2008 01:27:01 UTC

Severity: normal

Tags: patch, security

Found in version htop/0.7-1

Fixed in version htop/0.8.1-2

Done: jackyf.devel@gmail.com (Eugene V. Lyubimkin)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, josh@freedesktop.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Sat, 01 Nov 2008 01:27:03 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Josh Triplett <josh@freedesktop.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: htop: Does not filter non-printable characters in process names
Date: Fri, 31 Oct 2008 18:23:31 -0700
Package: htop
Version: 0.7-1
Severity: grave
Tags: security
Justification: user security hole

htop does not filter non-printable characters in process names.  Test
case:

echo -e '#!/bin/sh\nwhile :;do :;done' > $(echo -ne '\e[2J\e[H')
chmod a+x $(echo -ne '\e[2J\e[H')
../$(echo -ne '\e[2J\e[H')

top changes the non-printable characters to question marks.  htop
prints them unchanged, and thus corrupts its own display.  More subtle
escape sequences could hide a process entirely, or do more malicious
things depending on the capabilities of the terminal displaying htop.

- Josh Triplett




Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Sat, 01 Nov 2008 13:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sat, 01 Nov 2008 13:48:02 GMT) Full text and rfc822 format available.

Message #8 received at 504144@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Josh Triplett <josh@freedesktop.org>, 504144@bugs.debian.org
Subject: Re: Bug#504144: htop: Does not filter non-printable characters in process names
Date: Sat, 1 Nov 2008 14:44:45 +0100
[Message part 1 (text/plain, inline)]
Hi Josh,
* Josh Triplett <josh@freedesktop.org> [2008-11-01 04:16]:
> Package: htop
> Version: 0.7-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> htop does not filter non-printable characters in process names.  Test
> case:
> 
> echo -e '#!/bin/sh\nwhile :;do :;done' > $(echo -ne '\e[2J\e[H')
> chmod a+x $(echo -ne '\e[2J\e[H')
> ../$(echo -ne '\e[2J\e[H')
> 
> top changes the non-printable characters to question marks.  htop
> prints them unchanged, and thus corrupts its own display.  More subtle
> escape sequences could hide a process entirely, or do more malicious
> things depending on the capabilities of the terminal displaying htop.

I'm not sure if that is really a security problem or more a 
regular bug as processes can hide their names already pretty 
good by manipulating argv[0].

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, josh@freedesktop.org, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Sun, 02 Nov 2008 04:09:06 GMT) Full text and rfc822 format available.

Message #11 received at 504144@bugs.debian.org (full text, mbox):

From: Josh Triplett <josh@freedesktop.org>
To: Debian Bug Tracking System <504144@bugs.debian.org>
Subject: Re: Bug#504144: htop: Does not filter non-printable characters in process names
Date: Sat, 01 Nov 2008 21:06:20 -0700
Package: htop
Version: 0.7-1
Followup-For: Bug #504144

Nico Golde wrote:
>* Josh Triplett <josh@freedesktop.org> [2008-11-01 04:16]:
>> Package: htop
>> Version: 0.7-1
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>> 
>> htop does not filter non-printable characters in process names.  Test
>> case:
>> 
>> echo -e '#!/bin/sh\nwhile :;do :;done' > $(echo -ne '\e[2J\e[H')
>> chmod a+x $(echo -ne '\e[2J\e[H')
>> ../$(echo -ne '\e[2J\e[H')
>> 
>> top changes the non-printable characters to question marks.  htop
>> prints them unchanged, and thus corrupts its own display.  More subtle
>> escape sequences could hide a process entirely, or do more malicious
>> things depending on the capabilities of the terminal displaying htop.
>  
> I'm not sure if that is really a security problem or more a 
> regular bug as processes can hide their names already pretty 
> good by manipulating argv[0].

Processes can hide their names, yes, but a line in htop with no
process name looks suspicious.  However, a carefully written process
name could hide the entire line, not just the process name.

Furthermore, consider some of the crazy control strings which some
terminals have offered in the past.  On such a terminal, a malicious
process name could set keyboard shortcuts, print to a printer,
manipulate the terminal window, set and then paste the clipboard
contents, write files, or other crazy things.

- Josh Triplett

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages htop depends on:
ii  libc6                     2.7-15         GNU C Library: Shared libraries
ii  libncurses5               5.6+20081025-1 shared libraries for terminal hand

htop recommends no packages.

htop suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Sun, 02 Nov 2008 12:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sun, 02 Nov 2008 12:09:07 GMT) Full text and rfc822 format available.

Message #16 received at 504144@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Josh Triplett <josh@freedesktop.org>, 504144@bugs.debian.org
Subject: Re: Bug#504144: htop: Does not filter non-printable characters in process names
Date: Sun, 2 Nov 2008 13:05:34 +0100
[Message part 1 (text/plain, inline)]
Hi Josh,
* Josh Triplett <josh@freedesktop.org> [2008-11-02 12:12]:
> Nico Golde wrote:
> >* Josh Triplett <josh@freedesktop.org> [2008-11-01 04:16]:
[...] 
> >> top changes the non-printable characters to question marks.  htop
> >> prints them unchanged, and thus corrupts its own display.  More subtle
> >> escape sequences could hide a process entirely, or do more malicious
> >> things depending on the capabilities of the terminal displaying htop.
> >  
> > I'm not sure if that is really a security problem or more a 
> > regular bug as processes can hide their names already pretty 
> > good by manipulating argv[0].
> 
> Processes can hide their names, yes, but a line in htop with no
> process name looks suspicious.  However, a carefully written process
> name could hide the entire line, not just the process name.
> 
> Furthermore, consider some of the crazy control strings which some
> terminals have offered in the past.  On such a terminal, a malicious
> process name could set keyboard shortcuts, print to a printer,
> manipulate the terminal window, set and then paste the clipboard
> contents, write files, or other crazy things.

Ok got your point, I agree with you. I'm going to request a 
CVE id for this.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Tue, 11 Nov 2008 23:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Tue, 11 Nov 2008 23:33:03 GMT) Full text and rfc822 format available.

Message #21 received at 504144@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Nico Golde <nion@debian.org>
Cc: Josh Triplett <josh@freedesktop.org>, 504144@bugs.debian.org
Subject: Re: Bug#504144: htop: Does not filter non-printable characters in process names
Date: Wed, 12 Nov 2008 00:31:27 +0100
Nico Golde wrote:
> > Processes can hide their names, yes, but a line in htop with no
> > process name looks suspicious.  However, a carefully written process
> > name could hide the entire line, not just the process name.
> > 
> > Furthermore, consider some of the crazy control strings which some
> > terminals have offered in the past.  On such a terminal, a malicious
> > process name could set keyboard shortcuts, print to a printer,
> > manipulate the terminal window, set and then paste the clipboard
> > contents, write files, or other crazy things.
> 
> Ok got your point, I agree with you. I'm going to request a 
> CVE id for this.

This hardly a RC security issue.

Cheers,
        Moritz




Severity set to `normal' from `grave' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Fri, 14 Nov 2008 23:48:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Sat, 15 Nov 2008 03:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Andrew O. Shadoura" <bugzilla@tut.by>:
Extra info received and forwarded to list. Copy sent to Bartosz Fenski <fenio@debian.org>. (Sat, 15 Nov 2008 03:18:03 GMT) Full text and rfc822 format available.

Message #28 received at 504144@bugs.debian.org (full text, mbox):

From: "Andrew O. Shadoura" <bugzilla@tut.by>
To: 504144@bugs.debian.org
Subject: htop: Does not filter non-printable characters in process names
Date: Sat, 15 Nov 2008 05:12:17 +0200
[Message part 1 (text/plain, inline)]
Tags: patch

Hello.

Here's the patch that fixes this behaviour.

-- 
WBR, Andrew
[htop.patch (text/x-diff, inline)]
diff -r d816b3b76b28 RichString.c
--- a/RichString.c	Sat Nov 15 04:42:09 2008 +0200
+++ b/RichString.c	Sat Nov 15 05:09:32 2008 +0200
@@ -29,7 +29,7 @@
 inline void RichString_appendn(RichString* this, int attrs, char* data, int len) {
    int last = MIN(RICHSTRING_MAXLEN - 1, len + this->len);
    for (int i = this->len, j = 0; i < last; i++, j++)
-      this->chstr[i] = data[j] | attrs;
+      this->chstr[i] = ((data[j] > 31) ? data[j] : '?' ) | attrs;
    this->chstr[last] = 0;
    this->len = last;
 }
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from "Andrew O. Shadoura" <bugzilla@tut.by> to control@bugs.debian.org. (Sat, 15 Nov 2008 03:33:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, josh@freedesktop.org, Bartosz Fenski <fenio@debian.org>:
Bug#504144; Package htop. (Tue, 02 Dec 2008 20:24:06 GMT) Full text and rfc822 format available.

Message #33 received at 504144@bugs.debian.org (full text, mbox):

From: Josh Triplett <josh@freedesktop.org>
To: Debian Bug Tracking System <504144@bugs.debian.org>
Subject: htop: Does not filter non-printable characters in process names
Date: Tue, 02 Dec 2008 12:18:27 -0800
Package: htop
Followup-For: Bug #504144

isprint seems preferable to a comparison against 31.

- Josh Triplett

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.27-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages htop depends on:
ii  libc6                     2.7-16         GNU C Library: Shared libraries
ii  libncurses5               5.7+20081129-1 shared libraries for terminal hand

htop recommends no packages.

htop suggests no packages.

-- no debconf information




Reply sent to jackyf.devel@gmail.com (Eugene V. Lyubimkin):
You have taken responsibility. (Mon, 08 Dec 2008 17:45:15 GMT) Full text and rfc822 format available.

Notification sent to Josh Triplett <josh@freedesktop.org>:
Bug acknowledged by developer. (Mon, 08 Dec 2008 17:45:15 GMT) Full text and rfc822 format available.

Message #38 received at 504144-close@bugs.debian.org (full text, mbox):

From: jackyf.devel@gmail.com (Eugene V. Lyubimkin)
To: 504144-close@bugs.debian.org
Subject: Bug#504144: fixed in htop 0.8.1-2
Date: Mon, 08 Dec 2008 17:32:03 +0000
Source: htop
Source-Version: 0.8.1-2

We believe that the bug you reported is fixed in the latest version of
htop, which is due to be installed in the Debian FTP archive:

htop_0.8.1-2.diff.gz
  to pool/main/h/htop/htop_0.8.1-2.diff.gz
htop_0.8.1-2.dsc
  to pool/main/h/htop/htop_0.8.1-2.dsc
htop_0.8.1-2_i386.deb
  to pool/main/h/htop/htop_0.8.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504144@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eugene V. Lyubimkin <jackyf.devel@gmail.com> (supplier of updated htop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Dec 2008 11:03:18 +0200
Source: htop
Binary: htop
Architecture: source i386
Version: 0.8.1-2
Distribution: experimental
Urgency: low
Maintainer: Eugene V. Lyubimkin <jackyf.devel@gmail.com>
Changed-By: Eugene V. Lyubimkin <jackyf.devel@gmail.com>
Description: 
 htop       - interactive processes viewer
Closes: 470280 480541 484771 486213 488912 494646 499928 504144 507423
Changes: 
 htop (0.8.1-2) experimental; urgency=low
 .
   * Disabled unicode support, it has both build and work problems yet.
     (Closes: #507423)
   * debian/patches:
     - New patch 200-filter-non-printable-characters.patch to filter
       non-printable characters in process names. Thanks to Josh Triplett
       and Andrew O. Shadoura. (Closes: #504144)
     - 010-make-desktop-file-valid.patch: comment added.
   * debian/control:
     - Added '${misc:Depends}' to 'Depends', fixes lintian warning.
     - Added 'python-minimal' to 'Build-Depends' for MakeHeader.py.
 .
 htop (0.8.1-1) experimental; urgency=low
 .
   * New maintainer. Thanks for work, Bartosz Fenski!
   * New upstream release:
     - Changes in 0.8.1 (Closes: #499928):
       - Linux-VServer support.
       - Battery meter (Closes: #484771).
       - Fixed collection of IO stats in multithreaded processes.
       - Removed assertion that fails on hardened kernels.
     - Changes in 0.8.0 (Closes: #494646, #486213):
       - Ability to change sort column with the mouse by
         clicking column titles.
       - Added support for Linux per-process IO statistics.
       - Added Unicode support.
       - Fixed display of CPU count for threaded processes.
       - Avoid crashing when using many meters.
     - Other fixes:
       - Significantly increased line length limit (to 65535).
         (Closes: #470280)
   * debian/control:
     - Bumped 'Standards-Version' to 3.8.0, no changes needed.
     - Changed Build-Depends on debhelper to (>= 7) and 'libncurses5-dev' ->
       'libncursesw5-dev'. Added dependency on quilt (>= 0.40).
   * debian/rules:
     - Some cleanup, used debhelper v7 commands.
     - Pass '--enable-taskstats' and '--enable-unicode' options to configure.
     - Pass '--enable-openvz' to configure. (Closes: #480541)
   * debian/patches:
     - New 010-make-desktop-file-valid.patch: makes desktop file valid.
       Thanks to Nathan Handler <nathan.handler@gmail.com> (Closes: #488912)
   * debian/copyright:
     - Fixed path for GPLv2 license.
   * debian/menu:
     - Set proper section, removed hint (now useless).
Checksums-Sha1: 
 af852a2cd2bc340236517b913a2da87233239cba 1031 htop_0.8.1-2.dsc
 b41b4d83ab7ac40b79f6eeb730cd561293b62fd4 414870 htop_0.8.1.orig.tar.gz
 923a9593cae17838bb1874e2047fd1c504b02c1f 4296 htop_0.8.1-2.diff.gz
 2487daf7731306a4215278903b99dd5b38e942f5 53506 htop_0.8.1-2_i386.deb
Checksums-Sha256: 
 889ebf177ff982a60b1b78bb337d234c9ebd3fe7ccd05ed77a335181d88bd41b 1031 htop_0.8.1-2.dsc
 25ae28202fa4b782ed0e1298d3feee407bdeb56eaf9c652d0a6f9dbf22125d28 414870 htop_0.8.1.orig.tar.gz
 7d399b7e7ee2b1859536819f9562fe1c4d47f550ace958655671d1f158e58db4 4296 htop_0.8.1-2.diff.gz
 31fc506c0570c52b97d849fe38f147c5f3e8c3dcc4d8046fe2bf12e032f9d048 53506 htop_0.8.1-2_i386.deb
Files: 
 234f3430514ee16f25128f9cb923429c 1031 utils optional htop_0.8.1-2.dsc
 f0b259ca29175656de48bf0fa0a2e619 414870 utils optional htop_0.8.1.orig.tar.gz
 149db29f56dd67cd6fb1d51fea77ead1 4296 utils optional htop_0.8.1-2.diff.gz
 b128051ad4828392079f485d446e6b07 53506 utils optional htop_0.8.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk9WIgACgkQhQui3hP+/EBRjwCgm43O25NjOWcSWD8gxJ8g1xkP
5a8AoLBRETj7URghfToV6M5f9vap37Vo
=/MlL
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 02 Jul 2009 07:40:33 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 04 Jul 2009 09:09:13 GMT) Full text and rfc822 format available.

Changed Bug submitter from Josh Triplett <josh@freedesktop.org> to Josh Triplett <josh@joshtriplett.org>. Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 04 Jul 2009 09:09:14 GMT) Full text and rfc822 format available.

Bug archived. Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 04 Jul 2009 09:09:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 17:45:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.