Bug#1038390: bookworm-pu: package vte2.91/0.70.6-1~deb12u1

Simon McVittie smcv at debian.org
Sat Jun 17 15:22:21 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: vte2.91 at packages.debian.org, debian-boot at lists.debian.org, team at security.debian.org
Control: affects -1 + src:vte2.91

[ Reason ]
Fix an infinite-loop bug processing a particular control sequence.
(#1037919, LP: #2022019)

[ Impact ]
If unfixed, the infinite loop could be triggered by a malicious program
accessed via ssh, telnet or similar protocols and used as a denial of
service. I asked the security team whether they wanted to do a DSA for
this and haven't heard back, so I'm assuming the answer is no.

I would like to take the opportunity to integrate the rest of the upstream
bug-fix releases 0.70.4 and 0.70.5, which fix a few other bugs:

- an invalid memory access which can cause a terminal freeze
  or crash, for example when pasting emojis (vte#2606, vte#2620 upstream)
- seconds vs milliseconds confusion that meant the cursor didn't stop
  blinking as intended when a focused window becomes idle
  (vte#2622 upstream)
- correct coordinates when mouse wheel scrolling on the left edge of a
  terminal (vte#2621 upstream)

[ Tests ]
I reproduced #1037919 in bookworm's gnome-terminal and confirmed that
the proposed version fixes it. I haven't attempted to reproduce the other
fixed bugs.

The proposed version is functionally equivalent to the version in
unstable, which hasn't had any regression reports and should migrate
to testing soon. I'm using that version for day-to-day development, via
gnome-console.

A release-candidate of the bookworm package is available from:

    deb [trusted=yes] https://people.debian.org/~smcv/12.1 bookworm-proposed main

This is intentionally versioned slightly lower, but the changelog/version
number is the only difference.

[ Risks ]
It's a key package, but the changes are all straightforward, targeted
backports from newer upstream branches. 0.70.x is an upstream stable-branch
as part of GNOME 43.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
src/fonts-pangocairo.cc: vte#2606, vte#2620
src/vte.cc (last hunk): vte#2621
src/vteseq.cc: #1037919
The rest: vte#2622

[ Other info ]
Technically it has a udeb, so technically it needs a d-i ack; but it
isn't actually used in d-i, so that should just be a formality.
src:vte2.91 is for GTK 3 and 4, but the graphical installer is still
on GTK 2 and therefore uses the old src:vte instead.

Thanks,
    smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vte2.91_0.70.6-1~deb12u1.diff
Type: text/x-diff
Size: 22125 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20230617/81952440/attachment-0001.diff>

More information about the pkg-gnome-maintainers mailing list