NetBSD Problem Report #60154
From www@netbsd.org Tue Mar 31 23:03:33 2026
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.netbsd.org", Issuer "R12" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 36F121A9239
for <gnats-bugs@gnats.NetBSD.org>; Tue, 31 Mar 2026 23:03:33 +0000 (UTC)
Message-Id: <20260331230331.E46971A923F@mollari.NetBSD.org>
Date: Tue, 31 Mar 2026 23:03:31 +0000 (UTC)
From: arraybolt3@riseup.net
Reply-To: arraybolt3@riseup.net
To: gnats-bugs@NetBSD.org
Subject: sha256 and related checksum utilities fail to escape filenames printed to a terminal
X-Send-Pr-Version: www-1.0
X-From4GNATS: "arraybolt3@riseup.net via gnats" <gnats-admin@NetBSD.org>
>Number: 60154
>Category: bin
>Synopsis: sha256 and related checksum utilities fail to escape filenames printed to a terminal
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 31 23:05:00 +0000 2026
>Last-Modified: Mon May 04 14:10:01 +0000 2026
>Originator: Aaron Rainbolt
>Release: 10.1
>Organization:
ENCRYPTED SUPPORT LLC (Whonix)
>Environment:
NetBSD netbsd-test 10.1 NetBSD 10.1 (GENERIC) #0: Mon Dec 16 13:00:11 UTC 2024 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When using 'sha256 -c hashes-file', filenames present in 'hashes-file' will be printed verbatim to the terminal without escaping. This allows an attacker who can trick a user into downloading a hashes file and using 'sha256 -c' on it without checking its contents, can manipulate the user's terminal, or attempt to exploit terminal emulator vulnerabilities.
I recently reported a very similar issue to the GNU Coreutil smaintainers, who blocked the hole by escaping the output of sha256sum when running in "--check" mode more defensively. See https://github.com/coreutils/coreutils/commit/b3fe24213ee350835097cefa8d0154f78ffd9d67. Something similar may be usable here. If programmatic output parsing is a concern, perhaps this can only be done when stdout/stderr is connected to a (pseudo)terminal.
>How-To-Repeat:
In a terminal, run:
printf 'SHA256 (\033[1;1H\033[0J\033[30m) = 0000000000000000000000000000000000000000000000000000000000000000' > mal
sha256 -c mal
Upon running 'sha256 -c mal', the entire screen is cleared and the prompt becomes invisible, requiring one to blindly run 'reset' to recover it.
>Fix:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/60154: sha256 and related checksum utilities fail to escape
filenames printed to a terminal
Date: Wed, 1 Apr 2026 12:41:09 +0200
Here is a suggested patch that seems to fix it for me.
Output from the "mal" file in this PR looks now like this:
(SHA256) \^[\[1\;1H\^[\[0J\^[\[30m: FAILED
Martin
Index: cksum.c
===================================================================
RCS file: /cvsroot/src/usr.bin/cksum/cksum.c,v
retrieving revision 1.52
diff -u -p -r1.52 cksum.c
--- cksum.c 25 Jun 2022 02:22:42 -0000 1.52
+++ cksum.c 1 Apr 2026 10:38:14 -0000
@@ -101,6 +101,7 @@ __RCSID("$NetBSD: cksum.c,v 1.52 2022/06
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <vis.h>
#include "extern.h"
@@ -289,6 +290,7 @@ main(int argc, char **argv)
char *s, *p_filename, *p_cksum;
int l_filename, l_cksum;
char filename[BUFSIZ];
+ char safe_filename[BUFSIZ*4+1];
char cksum[BUFSIZ];
int ok,cnt,badcnt;
@@ -420,6 +422,15 @@ main(int argc, char **argv)
strlcpy(filename, p_filename, l_filename+1);
strlcpy(cksum, p_cksum, l_cksum+1);
+ if (strnvis(safe_filename, sizeof(safe_filename),
+ filename, VIS_META|VIS_CSTYLE) == -1) {
+ if (check_warn)
+ warnx("strnvis failed, can not print "
+ "filename");
+ rval = 1;
+ continue;
+ }
+
if (hash) {
char *h;
@@ -432,7 +443,7 @@ main(int argc, char **argv)
} else {
if ((fd = open(filename, O_RDONLY, 0)) < 0) {
if (check_warn)
- warn("%s", filename);
+ warn("%s", safe_filename);
rval = 1;
ok = 0;
} else {
@@ -455,7 +466,7 @@ main(int argc, char **argv)
if (! ok) {
if (hash)
printf("(%s) ", hash->hashname);
- printf("%s: FAILED\n", filename);
+ printf("%s: FAILED\n", safe_filename);
badcnt++;
}
cnt++;
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/60154 CVS commit: src/usr.bin/cksum
Date: Sat, 4 Apr 2026 14:19:48 +0000
Module Name: src
Committed By: martin
Date: Sat Apr 4 14:19:48 UTC 2026
Modified Files:
src/usr.bin/cksum: cksum.c
Log Message:
PR 60154: do not print arbitrary control characters when printing
file names while checking hashes with the -c option.
To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.53 src/usr.bin/cksum/cksum.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/60154 CVS commit: [netbsd-11] src/usr.bin/cksum
Date: Mon, 4 May 2026 14:06:10 +0000
Module Name: src
Committed By: snj
Date: Mon May 4 14:06:10 UTC 2026
Modified Files:
src/usr.bin/cksum [netbsd-11]: cksum.c
Log Message:
Pull up following revision(s) (requested by martin in ticket #274):
usr.bin/cksum/cksum.c: 1.53
PR 60154: do not print arbitrary control characters when printing
file names while checking hashes with the -c option.
To generate a diff of this commit:
cvs rdiff -u -r1.52 -r1.52.6.1 src/usr.bin/cksum/cksum.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home