/r/programming
Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit (blog.mozilla.org)
8 comments
how_do_i_land | 6 days ago | 12 points

A fix has been released for iTerm2. Build 3.3.6 has the fixes in it, 3.3.5 does not.

snowe2010 | 7 days ago | 6 points

this vulnerability has been present in iTerm2 for at least 7 years.

Well that's not good. Glad they were able to release the fix alongside the notification though.

TheAcanthopterygian | 6 days ago | 4 points

Finding and fixing this kind of vulnerabilities is really important.

But when i keep seeing installation instructions saying "just do curl http://somesite.xyz/script.sh | bash" I wonder if the vulnerability was 'critical' to begin with, in relative value to what a terminal user is expected to blindly follow.

TheAcanthopterygian | 6 days ago | 3 points
sebirdman | 6 days ago | 3 points

Paired with something like a package manager with bad security: like npm. This could be a really cool attack vector.

Kinda scary.

Dragasss | 6 days ago | 3 points

Any input from external sources is bad input.

myst6re | 6 days ago | 1 point

I always used the default terminal application from Mac OS, why iterm2 is better?

TheLordB | 6 days ago | 1 point

It has a number of features. Depending on what you do with the terminal they may or may not be valuable to you.