On Wed, Mar 27, 2024 at 10:22 PM Andy Smith wrote: > > Hello, > > On Thu, Mar 28, 2024 at 07:37:13AM +0800, jeremy ardley wrote: > > Some distros, like Debian, do not seem to have a command like > > command-not-found by default. > > […] > > > Which implies that Debian is secure by default against this particular > > exploit > > I suspect if OP is worried about users potentially falling for a > fake sudo password prompt then OP is probably not happy about all > the other possibilities around putting arbitrary text on a user's > terminal.
Yes, that. I'm not thrilled with the idea of anybody putting arbitrary text on someone else's terminal; what really concerns me is the ability to send control codes. Wasn't there some exploit that involved injecting text and a control code that acted like a carriage return? Lee
