Bug#1037919: vte2.91: infinite loop parsing control sequence '\e]104; x\a'
Simon McVittie
smcv at debian.org
Wed Jun 14 11:38:20 BST 2023
Source: vte2.91
Version: 0.70.5-1
Severity: important
Tags: security patch fixed-upstream
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Forwarded: https://gitlab.gnome.org/GNOME/vte/-/issues/2631
Control: fixed -1 0.70.5-2
To reproduce (make sure you are not running anything important in a vte
terminal first!):
$ printf '\e]104;x\a'
Expected result: some sort of error processing (in my case the terminal
blinks, by default it would probably beep).
Actual result: the terminal freezes until it is killed.
A logic error in vte's OSC parser results in an infinite loop. An
untrusted system accessed via ssh, telnet or similar could use this
as a denial of service. This is fixed upstream in 0.70.6, and a fixed
version 0.70.5-2 is on its way into unstable. Originally reported at
<https://bugs.launchpad.net/ubuntu/+source/vte2.91/+bug/2022019>.
Does the security team want to do a DSA for this? The patch is upstream
commit
https://gitlab.gnome.org/GNOME/vte/-/commit/dce7b5f044b0f9e184f186315c846489a20edf0d
or one of its many cherry-picks to older branches.
I believe 0.62.x in bullseye and 0.54.x in buster also have this bug
(the corresponding upstream branches have a cherry-pick of the fix)
but I have not independently verified this.
Regardless of whether the security team want to do a DSA, I'm hoping to
include a backport of 0.70.5-2 (or 0.70.6-1) in Debian 12.1, for some
lower-severity bug fixes. If the security team would be OK with including
those changes in a stable security update, that would minimize the number
of independent versions floating around.
Thanks,
smcv
More information about the pkg-gnome-maintainers
mailing list