One might assume terminal emulators such as konsole or xterm are simple programs not to be exploited, but well, let’s rethink.
Showing output from untrusted remote sources (sdwdate time provider server replies; replies by Tor) might exploit bugs in terminal-emulators such as konsole, right?
For example, open xterm, then
cat /dev/random
let it run for a while and then abort using the usual ctrl + c. Then press enter. You’ll see that it shows some weird characters followed by command not found. How come the output of a running program in terminal can influence what is written in the following command prompt?
They say it has clipboard handling so I assume yes.
Since this is x-based like xterm they don’t support multiple tabs without using tmux/GNU screen. Tmux support is not available and its in the cards to code an alternative.
As a whole I don’t think that using konsole is doom and gloom (because of st’s major limitations). Most of the escaping vulns have been ironed out in the 2000s and many competent people seem to be fuzzing terminal emulators quite regularly. Most of these experts are concerned with busybox vulnerabilties because its relatively immature comapred to alternatives and embedded hardware being everywhere.
This is similar to the situation with using bash vs something else. On one hand you will end up with a smaller codebase but on the other you might miss out on security expert’s mindshare and attention which is focused on the most widely used solutions. Using the less popular soltuion would end up being security thru obscurity.
