Bug 6594

Summary: mosh new security issue CVE-2012-2385
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/503613/
Whiteboard: MGA2-32-OK mga2-64-OK
Source RPM: mosh-1.1.3-1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-06-27 01:03:31 CEST 
Fedora has issued an advisory on July 14:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082850.html

Patched package for Mageia 2 uploaded.

Advisory:
========================

Updated links package fixes security vulnerability:

Mosh versions 1.2 and earlier allow an application to cause the
mosh-server to consume large amounts of CPU time with a short ANSI
escape sequence. In addition, a malicious mosh-server can cause the
mosh-client to consume large amounts of CPU time with a short ANSI
escape sequence. This arises because there was no limit on the value
of the "repeat" parameter in some ANSI escape sequences, so even
large and nonsensical values would be interpreted by Mosh's terminal
emulator (CVE-2012-2385).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2385
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082850.html
========================

Updated packages in core/updates_testing:
========================
mosh-1.1.3-1.1.mga2

from mosh-1.1.3-1.1.mga2.src.rpm
Comment 1 Dave Hodgins 2012-07-11 22:57:00 CEST 
Testing complete on Mageia 2 i586.

[dave@hodgins ~]$ mosh-server

MOSH CONNECT 60001 D60DvN15FkpZa0FuxHagPA
[dave@hodgins ~]$ 
mosh-server (mosh 1.1.3)
Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 16557]

[dave@hodgins ~]$ MOSH_KEY=D60DvN15FkpZa0FuxHagPA mosh-client 127.0.0.1 60001
Server now attached to client at 127.0.0.1:35002

Note the key and port copied from the output of the mosh server.  Also, have
to press enter after starting the server, to get a bash prompt.

Press ctrl shift 6, then a period, to exit the client and close the server.

CC: (none) => davidwhodgins
Whiteboard: (none) => MGA2-32-OK

Comment 2 claire robinson 2012-07-27 15:00:55 CEST 
Testing complete x86_64

Validating

Advisory and srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All
Whiteboard: MGA2-32-OK => MGA2-32-OK mga2-64-OK

Comment 3 David Walser 2012-07-27 15:29:21 CEST 
Reposting the advisory because of a copy-paste error.

Advisory:
========================

Updated mosh package fixes security vulnerability:

Mosh versions 1.2 and earlier allow an application to cause the
mosh-server to consume large amounts of CPU time with a short ANSI
escape sequence. In addition, a malicious mosh-server can cause the
mosh-client to consume large amounts of CPU time with a short ANSI
escape sequence. This arises because there was no limit on the value
of the "repeat" parameter in some ANSI escape sequences, so even
large and nonsensical values would be interpreted by Mosh's terminal
emulator (CVE-2012-2385).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2385
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082850.html
========================

Updated packages in core/updates_testing:
========================
mosh-1.1.3-1.1.mga2

from mosh-1.1.3-1.1.mga2.src.rpm
Comment 4 Thomas Backlund 2012-07-29 22:18:59 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0182

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED