[HN Gopher] iTerm2 Critical Security Release
___________________________________________________________________
iTerm2 Critical Security Release
Author : tjwds
Score : 116 points
Date : 2025-01-02 22:08 UTC (51 minutes ago)
(HTM) web link (iterm2.com)
(TXT) w3m dump (iterm2.com)
| wk_end wrote:
| > A bug in the SSH integration feature caused input and output to
| be logged to a file on the remote host. This file,
| /tmp/framer.txt, may be readable by other users on the remote
| host.
|
| Curious about how this happens. What does "framer" mean, here?
| formerly_proven wrote:
| Sounds like something dropped in the code for debugging
| purposes and accidentally released.
| CameronBanga wrote:
| Here's the commit where it was reversed, if you want to take a
| look and dive in. Looks like unfortunately a logging feature
| that he has was set to 1 instead of 0 and wasn't reset before
| compiling.
|
| https://gitlab.com/gnachman/iterm2/-/commit/014ba7ec40fc790f...
| jey wrote:
| iTerm2 increasingly seems too complex and bloated to me, with too
| many security issues. I haven't shopped for a new terminal
| emulator on macOS in a long time, but perhaps it's now time.
|
| I should also get around to switching to tmux, now that GNU
| Screen seems to be stagnant...
| slavomirvojacek wrote:
| I switched to Warp, much snappier, some AI features, overall
| very good experience. Also Ghostty is apparently good.
| baq wrote:
| I've been using tmux for over a decade because screen was a bit
| on the legacy side back then
| retrofuturism wrote:
| I recently gave Ghostty a chance and have since switched over
| from iTerm2 completely. It's very familiar and polished.
| hmeh wrote:
| Same. So far so good.
| akerl_ wrote:
| Probably worth noting that Ghostty was very recently
| vulnerable to an old/familiar class of terminal vuln that bit
| a bunch of older terminal applications a while back:
| https://dgl.cx/2024/12/ghostty-terminal-title
|
| So moving to a newer / less "bloated" terminal may also just
| wind the clock back and cause you to encounter a similar
| sequence of vulns again, like some kind of unfortunate real-
| world "New Game Plus".
| woadwarrior01 wrote:
| I did the same. Although, Ghostty doesn't seem to have
| support for Find ([?]-F), yet. Also, had some minor hiccups
| with it and tmux on remote hosts.
| dave4420 wrote:
| I tried Ghostty earlier in the week, but couldn't get it set
| up to look the same as iterm2 (the colours are off and text
| looks different somehow with the same typeface at the same
| size). Which is just cosmetic but makes it feel wrong
| viscerally.
|
| I'll give it another go at the weekend.
| crabique wrote:
| Somehow this is the first time I see anyone else bring this
| up, but the fonts are absolutely displayed with wrong
| kerning on my mac, for my font (at 12pt) I was able to make
| it look the same as iTerm2 with adjust-cell-{width,height}
| both set to -5%.
| crabique wrote:
| Unfortunately, it's nowhere near close feature-wise just yet:
| proper quake mode, search, prompt navigation, line
| timestamps, tab output indicators, forced keyboard locales,
| customizable toolbar with user-defined variables/indicators,
| are all too useful to give up iTerm2 for anything.
| 2OEH8eoCRo0 wrote:
| I don't use Mac but what's wrong with the default?
|
| > GNU Screen seems to be stagnant
|
| Is it stagnant or mostly complete?
| betaby wrote:
| Complete I would say. However Mac uses GNU software from
| around 2006, since around that time a lot of GNU software
| switched from GPLv2 to GPLv3. That means Mac ships GNU screen
| version 4 from 2006, while latest version is 5.
| Klonoar wrote:
| "Too complex" and "bloated" are catch-all that you should
| consider expanding further on.
|
| I don't personally iTerm2 to be be either of those.
| zenapollo wrote:
| Would xpipe be a candidate? It's also quite feature packed, but
| i was pleasantly surprised how nicely it got out of my way
| paulddraper wrote:
| > now that GNU Screen seems to be stagnant...
|
| That's not a new thing...
| mattpavelle wrote:
| > A bug in the SSH integration feature caused input and output to
| be logged to a file on the remote host. This file,
| /tmp/framer.txt, may be readable by other users on the remote
| host.
|
| Oof. This is nasty. Some folks may not have access to some
| machines that they've SSH'd into anymore where files like this
| may or may not exist.
| rad_gruchalski wrote:
| This seems relevant:
|
| When does this occur? --------------------- The issue occurs if
| both of the following conditions are true:
|
| 1. Either: a) You used the it2ssh command, or b) In Settings >
| Profiles > General, the Command popup menu was set to "SSH"
| (not "Login Shell", "Command", or "Custom Command") AND "SSH
| Integration" was checked in the SSH configuration dialog. That
| dialog is shown when you click the Configure button next to the
| ssh arguments field in Settings.
|
| 2. The remote host has Python 3.7 or later installed in its
| default search path.
| mattpavelle wrote:
| Yeah #1 reduces the surface area for sure, #2 maybe not so
| much :)
| fn-mote wrote:
| 1B looks like a common situation
| Kwpolska wrote:
| Looks like a case of print() debugging making it into production:
|
| https://github.com/gnachman/iTerm2/commit/63ec2bb0b95078a97a...
| https://github.com/gnachman/iTerm2/blame/5db0f74bf647f6d53ea...
| mulhoon wrote:
| It's been around for 3 years?
| CameronBanga wrote:
| About six months. File was originally authored a few years
| back, but looks like this slipped in here: https://gitlab.com
| /gnachman/iterm2/-/commit/5db0f74bf647f6d5...
| Kwpolska wrote:
| Disabled by default until 7 months ago.
| urronglol wrote:
| And when was the xz exploit around...
| mtmail wrote:
| 9 month ago. I don't see a connection.
| MiscIdeaMaker99 wrote:
| I would love to know more about how this got discovered and
| figured out. I can imagine some sysadmin pull their hair out,
| thinking they've got some infected system, but then find out it
| was some bug with their terminal emulator.
| jcalx wrote:
| I know it's largely personal preference but are there any
| strongly compelling reasons to use iTerm2 over stock Terminal on
| macOS in 2025? Despite recommendations, I've been wary of
| security and privacy issues much like this SSH bug.
| billowycoat wrote:
| There are reasons. Whether they are compelling or not, largely
| depends on what software you want to run.
|
| https://textual.textualize.io/FAQ/#why-doesnt-textual-look-g...
| BoingBoomTschak wrote:
| Two main reasons I switched is that iTerm can actually display
| bitmap fonts without mangling them (Terminal has anti-aliasing
| always on) and that it handles the difference between left and
| right Alt (needed because AZERTY layout + emacs).
| biwills wrote:
| Kitty (https://sw.kovidgoyal.net/kitty) has been my go to for
| many years and with tmux it's fantastic.
|
| I have heard a lot of great things about https://ghostty.org/
| but haven't had a chance to check it out
|
| edit: oops, I misread your question as "what alternatives are
| there"
| ilrwbwrkhv wrote:
| Kitty is really the only superior editor beyond ghostty
| terminal iterm weztwrm alacritty foot and others and the only
| one worth recommending.
| lr1970 wrote:
| Instead, I would recommend Ghostty [1] terminal recently
| released v1.0 by one and only Mitchell Hashimoto of Hashicorp
| fame. It is OSS native cross-platform application (not an
| Electron one). I have been using it for the last year (private
| beta) on Mac and Linux and it rocks.
|
| [1] https://github.com/ghostty-org/ghostty
| screcth wrote:
| It implements tmux control mode. It's very useful when working
| with a remote server.
|
| No other terminal implements it AFAIK.
| paulddraper wrote:
| Tmux
| dgacmu wrote:
| I use the graphics support for making quick & dirty scrips for
| managing images (mostly for checking labeling and things like
| that where I don't want to bother creating a full web UI).
|
| I tried Ghostty for this but couldn't get the images to display
| as quickly or in full resolution, but it's very possible I was
| holding it wrong. I'd love to switch, honestly.
|
| I also use multi-pane mirroring for managing some machines at
| home that I haven't bothered making more automated.
| urronglol wrote:
| Not suspicious at all
| st3fan wrote:
| I'm done with iTerm2.
|
| This was a great terminal when it was basically Terminal.app +
| missing features but over the past years it has grown into the
| proveribal "Kitchen Sink" and now does SO MANY things that I just
| don't care about.
|
| iTerm2 has become a huge app with many many knobs and levers and
| all kinds of functionality and integrations. I am not surprised
| at all that (security) bugs are found. More code, features,
| integrations means more potential for security issues.
|
| I switched to Ghostty, yes which had a security issue last week!,
| but at least it is a pretty minimal app with so far no intent to
| meet iTerm2 in terms of functionality.
| paxys wrote:
| That sound you hear is IT admins worldwide scrambling to delete
| /tmp/framer.txt from all their servers.
___________________________________________________________________
(page generated 2025-01-02 23:00 UTC)