On 10/05/2012 02:39 AM, Darren Tucker wrote: > On Tue, Sep 25, 2012 at 9:12 PM, balu chandra <balu9463@xxxxxxxxx> wrote: >> I also found little information inthe changelog on why strnvis() was >> introduced in input_userauth_banner. Is it added to address any >> security vulnerability. > > I believe the intent was to prevent a malicious server from sending a > banner containing a terminal answerback command sequence. I'm not > aware of any UTF-8 aware equivalent of strnvis, though (if someone > knows of one we'll look at using it). > I've asked my colleagues for help with [1] and it comes to that the case you describe might not be an issue at all. The banner is sent after a server is authenticated to a client and a client can always suppress printing a banner using -q option if he doesn't trust it. And what would stop a malicious server from sending a terminal answerback command sequence during a session instead in preauth phase? Is there any relevant discussion related to this problem from past with more specific information? [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2058 Petr
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev