Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)
Dear maintainer, Recently you fixed one or more security problems and as a result you closed this bug. These problems were not serious enough for a Debian Security Advisory, so they are now on my radar for fixing in the following suites through point releases: lenny (5.0.9) squeeze (6.0.3) Please prepare a minimal-changes upload targetting each of these suites, and submit a debdiff to the Release Team [0] for consideration. They will offer additional guidance or instruct you to upload your package. I will happily assist you at any stage if the patch is straightforward and you need help or lack time. Please keep me in CC at all times so I can track the progress of this request. For details of this process and the rationale, please see the original announcement [1] and my blog post [2]. 0: debian-rele...@lists.debian.org 1: <201101232332.11736.th...@debian.org> 2: http://deb.li/prsc Thanks, with his security hat on: -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 signature.asc Description: Digital signature
Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)
Package: libvte9
Version: 1:0.24.3-2
Severity: important
When passing a huge value to the "insert-blank-characters" capability
(defined in caps.c), gnome-terminal crashes (and maybe other terminals
that depend on libvte9).
$ cat -n vte-0.24.3/src/caps.c:
[...]
418 {CSI "%d@", "insert-blank-characters", 0},
To reproduce the crash:
$ printf "\033[10@" > /tmp/x
$ cat /tmp/x
A sub-function calls the "brk()" syscall until process memory is
entirely consumed:
$ strace -e brk -f gnome-terminal --disable-factory -x cat /tmp/x
Maybe this parameter value should be checked?
I wrote a small patch that checks this value inside the
vte_sequence_handler_multiple() function in the vte-0.24.3/src/vteseq.c
file. Let me know if you're interested.
Tested on Debian Release 6.0.1, kernel 2.6.32-5-amd64, gnome-terminal
2.30.2-1.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)
forwarded 629688 https://bugzilla.gnome.org/show_bug.cgi?id=652124 severity 629688 grave tag 629688 + security thanks Le mercredi 08 juin 2011 à 16:50 +0200, vladz a écrit : > To reproduce the crash: > > $ printf "\033[10@" > /tmp/x > $ cat /tmp/x Thanks for the report. I think this has security implications, since this is a potential remote DoS. > I wrote a small patch that checks this value inside the > vte_sequence_handler_multiple() function in the vte-0.24.3/src/vteseq.c > file. Let me know if you're interested. Please send any patches to the upstream bug I opened. Thanks, -- .''`. Josselin Mouette : :' : `. `' `- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)
This is CVE-2011-2198. -- .''`. Josselin Mouette : :' : `. `' `- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)
Le mardi 14 juin 2011 à 09:17 +0200, Josselin Mouette a écrit : > This is CVE-2011-2198. A fix has been released: http://git.gnome.org/browse/vte/commit/?h=vte-0-28&id=ac71d26f067be3a21bff315c3cabf24c94360dd6 Do you think this is worth a DSA? -- .''`. Josselin Mouette : :' : `. `' `- signature.asc Description: This is a digitally signed message part
