lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20170120131611.afzupatjx4y7vcwv@angband.pl>
Date:   Fri, 20 Jan 2017 14:16:11 +0100
From:   Adam Borowski <kilobyte@...band.pl>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     Manuel Schölling <manuel.schoelling@....de>,
        jslaby@...e.com, lkml14@...tdoyle.com, rdunlap@...radead.org,
        shorne@...il.com, andrey_utkin@...tmail.com,
        akpm@...ux-foundation.org, paul.burton@...tec.com,
        daniel.vetter@...ll.ch, tj@...nel.org, hdegoede@...hat.com,
        linux-kernel@...r.kernel.org, linux-fbdev@...r.kernel.org
Subject: Re: [PATCH v10 3/4] console: Add persistent scrollback buffers for
 all VGA consoles

On Fri, Jan 20, 2017 at 12:04:12AM +0100, Adam Borowski wrote:
> On Thu, Jan 19, 2017 at 05:33:14PM +0100, Greg KH wrote:
> > On Thu, Jan 19, 2017 at 05:12:15PM +0100, Manuel Schölling wrote:
> > > On Thu, 2017-01-19 at 14:23 +0100, Greg KH wrote:
> > > > On Fri, Jan 13, 2017 at 09:07:57PM +0100, Manuel Schölling wrote:
> > > > > +	  This feature might break your tool of choice to flush
> > > > > the scrollback
> > > > > +	  buffer, e.g. clear(1) will work fine but Debian's
> > > > > clear_console(1)
> > > > > +	  will be broken, which might cause security issues.
> > > > > +	  You can use the escape sequence \e[3J instead if this
> > > > > feature is
> > > > > +	  activated.
> > 
> > I'd recommend that patch get to clear_console() first, having it use the
> > new escape sequence, if it isn't supported, shouldn't cause any
> > problems, right?
> 
> doko: would you consider, pretty please with a cherry on top, applying the
> patch I've sent to this bug?  The privacy/security issue is pretty minor and
> applies only to a tiny fraction of users, but I understand why Greg is
> reluctant.

# Subject: Bug#845177 closed by Matthias Klose <doko@...ian.org>
#
# This is an automatic notification regarding your Bug report
# which was filed against the bash package:
#
# #845177: clear_console: assumes VT switch clears scrollback
#
# It has been closed by Matthias Klose <doko@...ian.org>.
[...]
# Changes:
#    * clear_console: Securely erase the current console. Closes: #845177.

-- 
Autotools hint: to do a zx-spectrum build on a pdp11 host, type:
  ./configure --host=zx-spectrum --build=pdp11

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ