Bug 6161

Summary: vte3: malicious escape sequences can cause denial of service (CVE-2012-2738)
Product: Mageia Reporter: Olav Vitters <olav>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins, fundawang, luigiwalser, olav, pmdenielou, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/504949/
See Also: https://bugzilla.gnome.org/show_bug.cgi?id=676090
Whiteboard: MGA1TOO, mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK
Source RPM: vte3 CVE:
Status comment:

Description Olav Vitters 2012-05-29 22:54:53 CEST 
See https://bugzilla.gnome.org/show_bug.cgi?id=676090

"The commands

echo -en "\e[2147483647L"
echo -en "\e[2147483647M"
echo -en "\e[2147483647P"

all seem to cause gnome-terminal (vte) to use all available cpu time and stop
responding to the user. Even File->Close Window can not be used."

fixed in vte3 0.32.2
Olav Vitters 2012-05-29 22:55:11 CEST

Status: NEW => ASSIGNED
See Also: (none) => https://bugzilla.gnome.org/show_bug.cgi?id=676090

Comment 1 David Walser 2012-07-03 23:05:40 CEST 
Fedora has issued an advisory for this on June 16:
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083403.html

It has been assigned CVE-2012-2738.

CC: (none) => luigiwalser
Version: 2 => Cauldron
Summary: vte3: malicious escape sequences can cause denial of service => vte3: malicious escape sequences can cause denial of service (CVE-2012-2738)
Whiteboard: (none) => MGA2TOO, MGA1TOO

David Walser 2012-07-03 23:06:25 CEST

CC: (none) => fundawang

Comment 2 David Walser 2012-07-10 19:36:58 CEST 
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated vte packages fix security vulnerability:

A denial of service flaw was found in the way VTE, a terminal emulator
widget, processed certain escape sequences with large repeat counts.
A remote attacker could provide a specially-crafted file, which once
opened in a terminal using the VTE terminal emulator could lead to
excessive CPU consumption (CVE-2012-2738).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2738
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083403.html
========================

Updated packages in core/updates_testing:
========================
vte-0.26.2-2.1.mga1
python-vte-0.26.2-2.1.mga1
libvte9-0.26.2-2.1.mga1
libvte-devel-0.26.2-2.1.mga1
vte-0.28.2-4.1.mga2
python-vte-0.28.2-4.1.mga2
libvte9-0.28.2-4.1.mga2
libvte-devel-0.28.2-4.1.mga2
libvte-gir0.0-0.28.2-4.1.mga2

from SRPMS:
vte-0.26.2-2.1.mga1.src.rpm
vte-0.28.2-4.1.mga2.src.rpm

URL: https://bugzilla.gnome.org/show_bug.cgi?id=676090 => http://lwn.net/Vulnerabilities/504949/
CC: (none) => olav
Version: Cauldron => 2
Assignee: olav => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 3 Dave Hodgins 2012-07-11 04:24:05 CEST 
Bug confirmed, just by entering the first string
echo -en "\e[2147483647L"

Confirmed fixed by the update.

Testing complete on Mageia 2 i586.

I'll test Mageia 1 i586 shortly.

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2012-07-11 09:08:53 CEST 
Testing complete on Mageia 1 i586.

Whiteboard: MGA1TOO => MGA1TOO, MGA1-32-OK MGA2-32-OK

Comment 5 claire robinson 2012-07-11 10:37:41 CEST 
Testing mga2 x86_64

With the update applied, the first line still causes a DOS in gnome-terminal.

Installing python-vte x86_64 asks to install 32 bit libraries.

Checked libvte9 though and appears to be 64 bit

# ls /usr/lib64/libvt*
libvte2_90.so.9         libvte.so.9             
libvte2_90.so.9.3200.1  libvte.so.9.2800.2

None in /usr/lib/

Not sure what the problem is here David.
Comment 6 claire robinson 2012-07-11 10:41:46 CEST 
Sorry, my mistype. python-vte is fine, I'd installed it alongside libvte-gir0.0 instead of lib64..

There is still the DOS issue though.
Comment 7 claire robinson 2012-07-11 11:09:13 CEST 
Testing complete mga1 64

Whiteboard: MGA1TOO, MGA1-32-OK MGA2-32-OK => MGA1TOO, MGA1-32-OK MGA2-32-OK mga1-64-OK

Comment 8 David Walser 2012-07-11 14:10:22 CEST 
(In reply to comment #5)
> Testing mga2 x86_64
> 
> With the update applied, the first line still causes a DOS in gnome-terminal.

What if you reboot first?  I wonder if it's still using the old library.
Comment 9 claire robinson 2012-07-11 17:55:18 CEST 
It's the same after a reboot. Even when starting gnome-terminal from konsole in kde David.
Comment 10 claire robinson 2012-07-11 17:56:42 CEST 
$ rpm -qa | grep vte
vte-0.28.2-4.1.mga2
vte3-0.32.1-1.mga2
python-vte-0.28.2-4.1.mga2
lib64vte2_90_9-0.32.1-1.mga2
lib64vte-gir0.0-0.28.2-4.1.mga2
lib64vte9-0.28.2-4.1.mga2

Perhaps it should be vte3 updated in Mga2?
Comment 11 David Walser 2012-07-11 22:49:21 CEST 
Good catch, thanks Claire.  Strangely, vte3 0.32.2 has been sitting in SVN since May 29th.  Built now.

Advisory:
========================

Updated vte packages fix security vulnerability:

A denial of service flaw was found in the way VTE, a terminal emulator
widget, processed certain escape sequences with large repeat counts.
A remote attacker could provide a specially-crafted file, which once
opened in a terminal using the VTE terminal emulator could lead to
excessive CPU consumption (CVE-2012-2738).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2738
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083403.html
========================

Updated packages in core/updates_testing:
========================
vte-0.26.2-2.1.mga1
python-vte-0.26.2-2.1.mga1
libvte9-0.26.2-2.1.mga1
libvte-devel-0.26.2-2.1.mga1
vte-0.28.2-4.1.mga2
python-vte-0.28.2-4.1.mga2
libvte9-0.28.2-4.1.mga2
libvte-devel-0.28.2-4.1.mga2
libvte-gir0.0-0.28.2-4.1.mga2
vte3-0.32.2-1.mga2
libvte2_90_9-0.32.2-1.mga2
libvte3-devel-0.32.2-1.mga2
libvte-gir2.90-0.32.2-1.mga2

from SRPMS:
vte-0.26.2-2.1.mga1.src.rpm
vte-0.28.2-4.1.mga2.src.rpm
vte3-0.32.2-1.mga2.src.rpm
Comment 12 claire robinson 2012-07-13 13:01:09 CEST 
Confirmed fixed in mga2 64 with the new vte3.

Whiteboard: MGA1TOO, MGA1-32-OK MGA2-32-OK mga1-64-OK => MGA1TOO, mga1-32-OK mga1-64-OK mga2-64-OK

Comment 13 Malo DeniƩlou 2012-07-13 13:54:13 CEST 
Confirmed the bug on Mageia 2 i586.

Installed the update candidates: no more high CPU usage when entering the strange echo commands in gnome-terminal. Confirmed the fix.

Update validated.

Thanks.

Advisory can be found on comment #11.

------------------
SRPM: 
vte-0.26.2-2.1.mga1.src.rpm
vte-0.28.2-4.1.mga2.src.rpm
vte3-0.32.2-1.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!

Keywords: (none) => validated_update
CC: (none) => malo, sysadmin-bugs
Whiteboard: MGA1TOO, mga1-32-OK mga1-64-OK mga2-64-OK => MGA1TOO, mga1-32-OK mga1-64-OK mga2-64-OK mga2-32-OK

Comment 14 Thomas Backlund 2012-07-14 00:24:32 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0163

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED