Bug#249325: Title change escape sequence can crash gnome-terminal
Enrico Zini
Enrico Zini <enrico@debian.org>, 249325@bugs.debian.org
Sun, 16 May 2004 15:42:42 -0300
Package: gnome-terminal
Version: 2.4.2-7
Severity: critical
Hello,
there's a bug in gnome-terminal, probably a missing boundary check on the
parameter of the window title change escape sequence, which can cause it to
crash (and possibly worse).
Here's a script I wrote to try to reproduce the bug, originally observed
because of a possible bug on 'mc' which sometimes changes the window title to
garbage and crashes the terminal:
#!/usr/bin/perl -w
srand $ARGV[0];
print "\033]0;";
for (my $i = 0; $i < 40000; $i++)
{
my $c = rand(200) + 55;
print chr($c) if ($c != 007);
}
print "\007";
You call it with a number which seeds the RND (to make the script predictable).
The bug is not deterministically reproductible: same script, same argument,
sometimes it crashes the terminal and sometimes not. It crashes it more often
if I run something terminal intensive on another tab of the same terminal, like
a 'while true; do find /; done'.
Besides being potentially dangerous (if well investigated and reproduced, I can
imagine this could be the road to some arbitrary code execution), the bug is
also extremely annoying as it crashes all open terminals with everything that
is inside.
Bye,
Enrico
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.5-1-686
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro
Versions of packages gnome-terminal depends on:
ii gnome-control-center 1:2.4.0-9 The GNOME Control Center for GNOME
ii libart-2.0-2 2.3.16-5 Library of functions for 2D graphi
ii libatk1.0-0 1.4.1-1 The ATK accessibility toolkit
ii libaudiofile0 0.2.6-3 Open-source version of SGI's audio
ii libbonobo2-0 2.4.3-1 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.4.3-2 The Bonobo UI library
ii libc6 2.3.2.ds1-12 GNU C Library: Shared libraries an
ii libesd0 0.2.29-1 Enlightened Sound Daemon - Shared
ii libfontconfig1 2.2.2-2 generic font configuration library
ii libfreetype6 2.1.7-2 FreeType 2 font engine, shared lib
ii libgconf2-4 2.4.0.1-4 GNOME configuration database syste
ii libgcrypt1 1.1.12-4 LGPL Crypto library - runtime libr
ii libglade2-0 1:2.0.1-13 Library to load .glade files at ru
ii libglib2.0-0 2.2.3-1 The GLib library of C routines
ii libgnome2-0 2.4.0-11 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.4.0-3 A powerful object-oriented display
ii libgnomeui-0 2.4.0.1-12 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.4.1-5 The GNOME virtual file-system libr
ii libgnomevfs2-common 2.4.1-5 The GNOME virtual file-system libr
ii libgnutls7 0.8.12-5 GNU TLS library - runtime library
ii libgtk2.0-0 2.2.4-6 The GTK+ graphical user interface
ii libice6 4.3.0.dfsg.1-1 Inter-Client Exchange library
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libncurses5 5.4-3 Shared libraries for terminal hand
ii liborbit2 1:2.8.3-2 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.2.5-4 Layout and rendering of internatio
ii libpopt0 1.7-4 lib for parsing cmdline parameters
ii libsm6 4.3.0.dfsg.1-1 X Window System Session Management
ii libstartup-notification0 0.6-2 library for program launch feedbac
ii libtasn1-0 0.1.2-1 Manage ASN.1 structures (runtime)
ii libvte4 1:0.11.10-8 Terminal emulator widget for GTK+
ii libx11-6 4.3.0.dfsg.1-1 X Window System protocol client li
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxml2 2.6.9-2 GNOME XML library
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii scrollkeeper 0.3.14-8 A free electronic cataloging syste
ii xlibs 4.3.0.dfsg.1-1 X Window System client libraries m
ii zlib1g 1:1.2.1-5 compression library - runtime
-- no debconf information