| Summary: | vte new security issue CVE-2024-37535 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | vte-0.72.1-1.mga9.src.rpm | CVE: | CVE-2024-37535 |
| Status comment: | |||
|
Description
Nicolas Salguero
2024-06-10 10:02:09 CEST
Nicolas Salguero
2024-06-10 10:03:04 CEST
Source RPM:
(none) =>
vte-0.76.2-1.mga10.src.rpm I think this is the patch: https://gitlab.gnome.org/GNOME/vte/-/commit/fd5511f24b7269195a7083f409244e9787c705dc Our v0.76.2 in Cauldron is very recent! Assigning globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: GNOME VTE before 0.76.3 allows an attacker to cause a denial of service (memory consumption) via a window resize escape sequence, a related issue to CVE-2000-0476. (CVE-2024-37535) References: https://www.openwall.com/lists/oss-security/2024/06/09/1 https://www.openwall.com/lists/oss-security/2024/06/09/2 ======================== Updated packages in core/updates_testing: ======================== lib(64)vte-devel-0.72.1-1.1.mga9 lib(64)vte-gir2.91-0.72.1-1.1.mga9 lib(64)vte-gir3.91-0.72.1-1.1.mga9 lib(64)vte-gtk4-devel-0.72.1-1.1.mga9 lib(64)vte-gtk4_2.91_0-0.72.1-1.1.mga9 lib(64)vte2.91_0-0.72.1-1.1.mga9 vte-0.72.1-1.1.mga9 vte-glade-0.72.1-1.1.mga9 vte-gtk3-0.72.1-1.1.mga9 vte-gtk4-0.72.1-1.1.mga9 vte-profile-0.72.1-1.1.mga9 from SRPM: vte-0.72.1-1.1.mga9.src.rpm Assignee:
pkg-bugs =>
qa-bugs
katnatek
2024-06-13 19:51:52 CEST
Keywords:
(none) =>
advisory mga9, x64 Installed release version of vte (60 packages+). No man page or Read.md file. vte is a terminal emulator associated with Gtk. To launch a terminal use gtk-2.91. The -help command line option shows the possible arguments. Running emacs in a vte session to write this report. $ vte-2.91 --allow-window-ops --background-image=/home/lcl/Pictures/TracysRock.jpg raises a terminal with an image as background and the window may be resized to accommodate the whole picture. Note that '~' is not interpreted as $HOME. The background colour option accepts the X11 RGB colour names. $ vte-2.91 --allow-window-ops --background-color=LemonChiffon The terminal is happy to accept other character sets such as Cyrillic and Greek. $ eom YauzaRiverШлюзнарекеЯузеIMG3353.jpg $ cat greek Α α Alpha a Β β Beta b .... The --transparent=0..100 option enables variable transparency. That is as far as I have taken this. There are many other technical options. The packages updated without a problem. There is an exploit which can be tested easily but since it usually freezes up the machine I skipped that before updating. After the update it is innocuous: $ printf "e[4;65535;65535t" e[4;65535;65535tlcl@yildun:~ $ vi works fine in the terminal. Tried some of the other facilities as before and everything seems to be working. Giving this an OK. Whiteboard:
(none) =>
MGA9-64-OK Validating. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0219.html Status:
ASSIGNED =>
RESOLVED |