[Wicher]

Right on. I reported a bug to GNU Tar which allows you display pictures on someone's terminal if they list (or extract) the archive contents.

Demo: https://media.ccc.de/v/all-systems-go-2023-225-making-a-magi...

Background and utility to put such messages in tar archives: https://curiosities.nontrivialpursuit.org/tarvertise-put-a-m...

You can see for yourself whether you have the fix:

Fast featureful terminals (for instance, Kitty):

  curl -s https://obfusc.gavagai.nl/roll.tar.xz | unxz | tar tf -

Less featureful terminals:

  curl -s https://obfusc.gavagai.nl/compatroll.tar.xz | unxz | tar tf -

Slow and featureless terminals:

  curl -s https://obfusc.gavagai.nl/compatroll-lowfps.tar.xz | unxz | tar tf -

[dgl]

Cute, I found a similar issue in OpenBSD's tar as mentioned, I didn't share the exploit before but basically a long filename does it.

Something like: https://gist.github.com/dgl/355840320535bf8ef8b70f2e0722bf65

(I reported this one to OpenBSD but they didn't fix it. Much like Busybox, which has been known for years.)

[Wicher]

Interesting that they didn't fix it.

I emailed the Tar maintainers privately because I thought they might consider it a security vulnerability, however mild. They fixed it promptly but didn't want to make a CVE fuss out of it.

[dgl]

Actually, I got it wrong, too many vulnerabilities in flight. They did fix it: https://github.com/openbsd/src/commit/375ccafb2eb77de6cf240e...