libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Debian Bug report logs - #629688
libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: vladz <vladz@devzero.fr>

To: submit@bugs.debian.org

Subject: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Date: Wed, 8 Jun 2011 16:50:24 +0200

Package: libvte9
Version: 1:0.24.3-2
Severity: important

When passing a huge value to the "insert-blank-characters" capability
(defined in caps.c), gnome-terminal crashes (and maybe other terminals
that depend on libvte9). 

  $ cat -n vte-0.24.3/src/caps.c:
  [...]
  418          {CSI "%d@", "insert-blank-characters", 0},

To reproduce the crash:

  $ printf "\033[100000000000000000@" > /tmp/x
  $ cat /tmp/x

A sub-function calls the "brk()" syscall until process memory is
entirely consumed:

  $ strace -e brk -f gnome-terminal --disable-factory -x cat /tmp/x

Maybe this parameter value should be checked?

I wrote a small patch that checks this value inside the
vte_sequence_handler_multiple() function in the vte-0.24.3/src/vteseq.c
file.  Let me know if you're interested.

Tested on Debian Release 6.0.1, kernel 2.6.32-5-amd64, gnome-terminal
2.30.2-1.

Message #10 received at 629688@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: vladz <vladz@devzero.fr>, 629688@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Date: Wed, 08 Jun 2011 18:14:06 +0200

forwarded 629688 https://bugzilla.gnome.org/show_bug.cgi?id=652124
severity 629688 grave
tag 629688 + security
thanks

Le mercredi 08 juin 2011 à 16:50 +0200, vladz a écrit : 
> To reproduce the crash:
> 
>   $ printf "\033[100000000000000000@" > /tmp/x
>   $ cat /tmp/x

Thanks for the report. I think this has security implications, since
this is a potential remote DoS.

> I wrote a small patch that checks this value inside the
> vte_sequence_handler_multiple() function in the vte-0.24.3/src/vteseq.c
> file.  Let me know if you're interested.

Please send any patches to the upstream bug I opened.

Thanks,
-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

Message #23 received at 629688@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 629688@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Date: Tue, 14 Jun 2011 09:17:25 +0200

This is CVE-2011-2198.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

Message #28 received at 629688@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 629688@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Date: Wed, 15 Jun 2011 00:20:32 +0200

[Message part 1 (text/plain, inline)]

Le mardi 14 juin 2011 à 09:17 +0200, Josselin Mouette a écrit : 
> This is CVE-2011-2198.

A fix has been released:
http://git.gnome.org/browse/vte/commit/?h=vte-0-28&id=ac71d26f067be3a21bff315c3cabf24c94360dd6

Do you think this is worth a DSA?

-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 629688-close@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 629688-close@bugs.debian.org

Subject: Bug#629688: fixed in vte 1:0.28.1-1

Date: Wed, 15 Jun 2011 21:18:27 +0000

Source: vte
Source-Version: 1:0.28.1-1

We believe that the bug you reported is fixed in the latest version of
vte, which is due to be installed in the Debian FTP archive:

gir1.2-vte-2.90_0.28.1-1_amd64.deb
  to main/v/vte/gir1.2-vte-2.90_0.28.1-1_amd64.deb
libvte-2.90-9_0.28.1-1_amd64.deb
  to main/v/vte/libvte-2.90-9_0.28.1-1_amd64.deb
libvte-2.90-dev_0.28.1-1_amd64.deb
  to main/v/vte/libvte-2.90-dev_0.28.1-1_amd64.deb
libvte-common_0.28.1-1_all.deb
  to main/v/vte/libvte-common_0.28.1-1_all.deb
libvte-dev_0.28.1-1_amd64.deb
  to main/v/vte/libvte-dev_0.28.1-1_amd64.deb
libvte-doc_0.28.1-1_all.deb
  to main/v/vte/libvte-doc_0.28.1-1_all.deb
libvte9-udeb_0.28.1-1_amd64.udeb
  to main/v/vte/libvte9-udeb_0.28.1-1_amd64.udeb
libvte9_0.28.1-1_amd64.deb
  to main/v/vte/libvte9_0.28.1-1_amd64.deb
python-vte_0.28.1-1_amd64.deb
  to main/v/vte/python-vte_0.28.1-1_amd64.deb
vte_0.28.1-1.debian.tar.gz
  to main/v/vte/vte_0.28.1-1.debian.tar.gz
vte_0.28.1-1.dsc
  to main/v/vte/vte_0.28.1-1.dsc
vte_0.28.1.orig.tar.bz2
  to main/v/vte/vte_0.28.1.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629688@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated vte package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 15 Jun 2011 21:47:56 +0200
Source: vte
Binary: libvte9 libvte9-udeb libvte-dev libvte-2.90-9 gir1.2-vte-2.90 libvte-2.90-dev libvte-common python-vte libvte-doc
Architecture: source all amd64
Version: 1:0.28.1-1
Distribution: unstable
Urgency: low
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 gir1.2-vte-2.90 - GObject introspection data for the VTE library
 libvte-2.90-9 - Terminal emulator widget for GTK+ 3.0 - runtime files
 libvte-2.90-dev - Terminal emulator widget for GTK+ 3.0 - development files
 libvte-common - Terminal emulator widget for GTK+ - common files
 libvte-dev - Terminal emulator widget for GTK+ 2.0 - development files
 libvte-doc - Terminal emulator widget for GTK+ - documentation
 libvte9    - Terminal emulator widget for GTK+ 2.0 - runtime files
 libvte9-udeb - Terminal emulator widget for GTK+ 2.0 - minimal runtime (udeb)
 python-vte - Python bindings for the VTE widget set
Closes: 629688
Changes: 
 vte (1:0.28.1-1) unstable; urgency=low
 .
   * Tighten dependencies on libvte-common.
   * New upstream release.
     + CVE-2011-2198: fix memory exhaustion by using special character
       sequences. Closes: #629688.
   * Drop check-dist include.
Checksums-Sha1: 
 d0f43b8e709e48cafea398d797a102aa2fbf661b 1866 vte_0.28.1-1.dsc
 9867f84c6be65ff485d8a1a3c41a359709b6f84c 1341147 vte_0.28.1.orig.tar.bz2
 c1dd529d3b5acfc59e3609c73019ed0625824f5c 18646 vte_0.28.1-1.debian.tar.gz
 0282adf7a8e5cc53f7da813f6a7bf15921ef9fbb 443384 libvte-common_0.28.1-1_all.deb
 17cc1d5913cbad8f2f99d66b6da605ea5a5a180c 518296 libvte-doc_0.28.1-1_all.deb
 41c8335e5c2b87c74513ac46e5d3b7bb1c8d1d65 724234 libvte9_0.28.1-1_amd64.deb
 00e4c951c830c58176e19c0f4cf9dddf1b99a91a 329524 libvte9-udeb_0.28.1-1_amd64.udeb
 2d67e291301353d1dbd05bc5001c8dd1f175c290 758838 libvte-dev_0.28.1-1_amd64.deb
 838a73b4291485502837ad5bf350dca43c6a0834 725936 libvte-2.90-9_0.28.1-1_amd64.deb
 c1891aad4d437a31d1b7e5a8ca28fbe04c4fb6ca 380074 gir1.2-vte-2.90_0.28.1-1_amd64.deb
 90d3dbf6fe3117adbde12ab1ac5055d65c3f0ea3 773872 libvte-2.90-dev_0.28.1-1_amd64.deb
 c598562bc8913a4352046fa622026d430f4dbb5b 412084 python-vte_0.28.1-1_amd64.deb
Checksums-Sha256: 
 b2febd9b4f502833bc0a1f95a199c05cd106eb7c0e96a3afec20d54b84d6d0da 1866 vte_0.28.1-1.dsc
 0fa6e4872b38fca07d62f5b7d141312a195ba5399a87211b651e721086d8a63a 1341147 vte_0.28.1.orig.tar.bz2
 9c4e2d77bb12c8d237eb6f87b60b275ffb386a81ad05886c11371b11da97b9a0 18646 vte_0.28.1-1.debian.tar.gz
 4a8145e948818157d3324f3a5c0638aa8737a936781f607f74b38fda82bbe0ce 443384 libvte-common_0.28.1-1_all.deb
 ee8e6ea32fd2dbfacb277b6ac01aa96c1371ee9d6c6ba1a985455f526a342465 518296 libvte-doc_0.28.1-1_all.deb
 5102bd9116e2b31be67187b82cd6a26269cace155dbe635515e7f5a61b391292 724234 libvte9_0.28.1-1_amd64.deb
 f0fa5d324a9b46df8c748803cc81e1a2720d911365f74358055ed6b393e3809a 329524 libvte9-udeb_0.28.1-1_amd64.udeb
 8f381e2d93a69a878af884a233114788d754d9e1777ac065532366a9d335b3de 758838 libvte-dev_0.28.1-1_amd64.deb
 ee9bdad756d6c55d6d74b2f9550f4ee037f9753c4a7d1f9c5d94837ddd391baa 725936 libvte-2.90-9_0.28.1-1_amd64.deb
 d3f13d23876af7ec957b7b84b9173bff09adeba2494784044cc9a5844ff8786e 380074 gir1.2-vte-2.90_0.28.1-1_amd64.deb
 60bc977257fb655f05b21d2f00b7240241287502b5f468507b105a1f912972b8 773872 libvte-2.90-dev_0.28.1-1_amd64.deb
 1686ba3fc510c47e7613a05e482597160855a4a28df16de3319575e3ca57f77c 412084 python-vte_0.28.1-1_amd64.deb
Files: 
 0f40f12f92be37330bafb0f79b27a8f2 1866 libs optional vte_0.28.1-1.dsc
 771ff368d4e5ac8e91be4f525b676292 1341147 libs optional vte_0.28.1.orig.tar.bz2
 27978b5da4fdec3f1d43c3ca01bfcd31 18646 libs optional vte_0.28.1-1.debian.tar.gz
 83dcd854d112245907a5e67e16d254cb 443384 libs optional libvte-common_0.28.1-1_all.deb
 822d2c50c609541666d46747a84286e6 518296 doc optional libvte-doc_0.28.1-1_all.deb
 380ab68453a3f53846ab45bd80935d3a 724234 libs optional libvte9_0.28.1-1_amd64.deb
 f5c4b4b3b6ece315ce134177244ed6bc 329524 debian-installer extra libvte9-udeb_0.28.1-1_amd64.udeb
 10016f36e96eae997bf30f9a377686cc 758838 libdevel optional libvte-dev_0.28.1-1_amd64.deb
 65c8ef176c858467af1efc5021c738f2 725936 libs optional libvte-2.90-9_0.28.1-1_amd64.deb
 652e88b138beb116a95e58767f953639 380074 libs optional gir1.2-vte-2.90_0.28.1-1_amd64.deb
 a9072d7ed3e0ecb492ef460424b5f360 773872 libdevel optional libvte-2.90-dev_0.28.1-1_amd64.deb
 c76e4c6ba501be52415d018e34aa2b0b 412084 python optional python-vte_0.28.1-1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFN+R2UrSla4ddfhTMRAtrPAKCjL0Zja5ShiiZtVs1Cr98fwnHgPACgoWUY
NuXIZg5s4ktYAbqtpMdFx9k=
=EiFh
-----END PGP SIGNATURE-----

Message #38 received at 629688@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 629688@bugs.debian.org, joss@debian.org

Subject: Re: Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)

Date: Sat, 6 Aug 2011 21:37:42 +0100

[Message part 1 (text/plain, inline)]

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)
squeeze (6.0.3)

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Message #43 received at 629688-close@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 629688-close@bugs.debian.org

Subject: Bug#629688: fixed in vte 1:0.24.3-3

Date: Tue, 30 Aug 2011 01:55:17 +0000

Source: vte
Source-Version: 1:0.24.3-3

We believe that the bug you reported is fixed in the latest version of
vte, which is due to be installed in the Debian FTP archive:

libvte-common_0.24.3-3_all.deb
  to main/v/vte/libvte-common_0.24.3-3_all.deb
libvte-dev_0.24.3-3_amd64.deb
  to main/v/vte/libvte-dev_0.24.3-3_amd64.deb
libvte-doc_0.24.3-3_all.deb
  to main/v/vte/libvte-doc_0.24.3-3_all.deb
libvte9-udeb_0.24.3-3_amd64.udeb
  to main/v/vte/libvte9-udeb_0.24.3-3_amd64.udeb
libvte9_0.24.3-3_amd64.deb
  to main/v/vte/libvte9_0.24.3-3_amd64.deb
python-vte_0.24.3-3_amd64.deb
  to main/v/vte/python-vte_0.24.3-3_amd64.deb
vte_0.24.3-3.debian.tar.gz
  to main/v/vte/vte_0.24.3-3.debian.tar.gz
vte_0.24.3-3.dsc
  to main/v/vte/vte_0.24.3-3.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 629688@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated vte package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 18 Aug 2011 16:17:27 +0200
Source: vte
Binary: libvte9 libvte9-udeb libvte-dev libvte-common python-vte libvte-doc
Architecture: source all amd64
Version: 1:0.24.3-3
Distribution: stable
Urgency: low
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description: 
 libvte-common - Terminal emulator widget for GTK+ 2.0 - common files
 libvte-dev - Terminal emulator widget for GTK+ 2.0 - development files
 libvte-doc - Terminal emulator widget for GTK+ 2.0 - documentation
 libvte9    - Terminal emulator widget for GTK+ 2.0 - runtime files
 libvte9-udeb - Terminal emulator widget for GTK+ 2.0 - minimal runtime (udeb)
 python-vte - Python bindings for the VTE widget set
Closes: 629688
Changes: 
 vte (1:0.24.3-3) stable; urgency=low
 .
   * 01_CVE-2011-2198.patch: taken from upstream git. Fixes memory
     exhaustion vulnerability. Closes: #629688, CVE-2011-2198.
Checksums-Sha1: 
 ce89cf2e576d0cf2b0afe2d48e4ef484755306e0 1652 vte_0.24.3-3.dsc
 fc461d7304425d04a5bc93d8efed8adb8919b539 86057 vte_0.24.3-3.debian.tar.gz
 ebaec8479fa2daf3897fdb8d91d84889f3c7a431 415980 libvte-common_0.24.3-3_all.deb
 ab57d773b60937cf931e04a37139cca7dbe8d531 395314 libvte-doc_0.24.3-3_all.deb
 10c6a58039cec11c23422fa505a16708fdeb6df8 914900 libvte9_0.24.3-3_amd64.deb
 06eb4e542e0d3c557d7025fb77793649110dfbac 323472 libvte9-udeb_0.24.3-3_amd64.udeb
 2735567f6e91cdf33f9ee95d6eba28a570cb6de9 721902 libvte-dev_0.24.3-3_amd64.deb
 6b6c09a00a8b8866ae75e181ce08d4985173f952 387044 python-vte_0.24.3-3_amd64.deb
Checksums-Sha256: 
 7e0ce00ce7e5f0add472bd90a5d950343897e091b6ddc768cef29c7bdb079c35 1652 vte_0.24.3-3.dsc
 12767331670add4b46de6e359be2f61ae6e21ca3632aedf2b429a34f4cd5e9c0 86057 vte_0.24.3-3.debian.tar.gz
 7774545e43b498c105d7b2a32226f4fa4096b36101ddf8815b6d0d6f39ffe308 415980 libvte-common_0.24.3-3_all.deb
 43f6a108f083cf51353fcd782974716ad8ae0f60c8b78e6b8f1bd8decd38ff98 395314 libvte-doc_0.24.3-3_all.deb
 7ed9820e2e1f54d5a74a7bc0076101f016b605aa0a94e8ac5318b03c0d728961 914900 libvte9_0.24.3-3_amd64.deb
 3571abf64d148e387fbe22c006d91323b13ed244e0aefd03e3af0414f8c8c3f5 323472 libvte9-udeb_0.24.3-3_amd64.udeb
 bdb691f23c4e4912a8a445773ffab13ed22858f98b9323731cf27d05cb7ece1c 721902 libvte-dev_0.24.3-3_amd64.deb
 6b7575970c6b2aae96bdb620b1991b0e39a29e2b5e62576e35433443ebc42aed 387044 python-vte_0.24.3-3_amd64.deb
Files: 
 2377808c000f634e72bfd92e180135db 1652 libs optional vte_0.24.3-3.dsc
 0c9af366d1e3f54c20682719029712d9 86057 libs optional vte_0.24.3-3.debian.tar.gz
 2edd9b6ef701d6b1341b03e2247d8cef 415980 libs optional libvte-common_0.24.3-3_all.deb
 c08d452850c9733662ed1bbc0cbc65c4 395314 doc optional libvte-doc_0.24.3-3_all.deb
 b78ed14ea8e1569651b869661a01c519 914900 libs optional libvte9_0.24.3-3_amd64.deb
 00ea104ba17708304f920a4e5ed6fcc3 323472 debian-installer extra libvte9-udeb_0.24.3-3_amd64.udeb
 13bdf1883b5ce4e765f2c45842e25c9b 721902 libdevel optional libvte-dev_0.24.3-3_amd64.deb
 76db9529d000eaa4173356526ba43630 387044 python optional python-vte_0.24.3-3_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOW/1drSla4ddfhTMRAhBAAKDd//wrm5qRDh4AvO/Eu7SSrKz4jgCghu+V
lnOGo+i8szwNtL+SUlEMhow=
=iLFH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.