[akerl_]

Probably worth noting that Ghostty was very recently vulnerable to an old/familiar class of terminal vuln that bit a bunch of older terminal applications a while back: https://dgl.cx/2024/12/ghostty-terminal-title

So moving to a newer / less "bloated" terminal may also just wind the clock back and cause you to encounter a similar sequence of vulns again, like some kind of unfortunate real-world "New Game Plus".

[jolux]

Having a vuln that many other terminal emulators have had is pretty different from the string of unique and extremely bad vulns that iTerm has had over the years. It’s possible that we’ll see similar from Ghostty, but it’s a much newer and I believe smaller codebase, so I’m willing to give it a second chance.

[akerl_]

I've been using iTerm daily for something like a decade at this point and I'm struggling to think of any examples of this string of extremely bad vulns. There's this one, which is specific to SSH integration. There was CVE-2024-38396, which is the window title escape sequences I was talking about above.

What others am I missing?

[jolux]

How about making DNS requests for everything you hover over to determine if it’s a URL? https://www.bleepingcomputer.com/news/security/iterm2-leaks-...

[draven]

A vuln every 7-8 years is "a string of unique and extremely bad vulns"?

I use iTerm2, mostly because that's what I'm used to: I installed it on my first Mac years ago when Terminal.app was really bad. I'm willing to switch to another terminal, but I don't see yet how iTerm2 is so much worse than the competition security-wise.

(I also don't understand the general animosity towards an opensource project with one developer doing all the work for 15 years.)

[jolux]

> A vuln every 7-8 years is "a string of unique and extremely bad vulns"?

Here’s another: https://www.bleepingcomputer.com/news/security/iterm2-patche...

And another: https://www.cvedetails.com/cve/CVE-2019-19022/

Point being: it’s not hard to see what I’m talking about if you look up previous vulnerabilities in iTerm2, particularly around its sophisticated integration features. (I suppose I talk about this enough that it might be worth compiling all the history I’m aware of somewhere, I don’t want to sound like I’m just making this up)

It’s also notable that iTerm was found vulnerable to the same bug discovered recently in Ghostty: https://threatintelligencelab.com/blog/cve-2024-38396-a-crit...

> I also don't understand the general animosity towards an opensource project with one developer doing all the work for 15 years

I have nothing against George Nachman and iTerm2 is certainly an achievement, one that I probably couldn’t replicate myself. Nonetheless I feel the need to hold my terminal emulator to higher standards because it processes sensitive data and untrusted input with (inherently) poor isolation between the two. Until Ghostty I used Terminal.app for many years, having previously switched away from iTerm2 after the vulnerability discovered in 2017. That’s still what I recommend to people because it has a much smaller feature set and thus attack surface compared to iTerm.

[draven]

I hope I didn´t sound like I did not believe you, I honestly had no idea. I don´t get an update for iTerm2 every week so I figured it was mostly stable / had no sec issue.

Following this discussion I decided to give Ghostty and kitty a try. I kept Ghostty, mainly because the shortcuts I use the most in iTerm2 are there and I like the default theme (yes, I'm a simple person.) It has less features / integrations I don´t use anyway so I guess the attack surface is smaller.

[boomlinde]

I can only find three CVEs prior to this. It's only one of those that I would qualify as "extremely bad" (the DNS query leak you mention below). The others are the window title bug GP mentions and the undocumented maintenance of a plain text search history file.

[samatman]

Ghostty has also been out for what, a week? So this is the open season / shakedown, when security researchers get to try out all the old favorites and see what got missed.

I don't think there are larger lessons to draw from that occurrence. A reputation for security has to be earned, and Ghostty hasn't been around long enough for that. From my vantage point it's on track, but only time will tell.

[akerl_]

I'm not trying to knock either Ghostty in particular or new software in general. But the kind of "open season" phase you're referring to is basically the same point I'm making: new software still has to go through the phase where they work through their security model, have it probed by researchers, and earn their reputation.