CVE-2009-4488

NameCVE-2009-4488
DescriptionVarnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. NOTE: the vendor disputes the significance of this report, stating that "This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
varnish (PTS)jessie, jessie (lts)4.0.2-1+deb8u1vulnerable
stretch (security), stretch (lts), stretch5.0.0-7+deb9u3vulnerable
buster (security), buster, buster (lts)6.1.1-1+deb10u4vulnerable
bullseye (security), bullseye6.5.1-1+deb11u3vulnerable
bookworm7.1.1-1.1vulnerable
sid, trixie7.6.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
varnishsource(unstable)(unfixed)unimportant

Notes

The actual issue is within the broken terminal emulators and needs to be fixed there, see CVE-2009-4487
Search for package or bug name: Reporting problems