Bug 6161 - vte3: malicious escape sequences can cause denial of service (CVE-2012-2738)
: vte3: malicious escape sequences can cause denial of service (CVE-2012-2738)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504949/
: MGA1TOO, mga1-32-OK mga1-64-OK mga2-...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-05-29 22:54 CEST by Olav Vitters
Modified: 2012-07-14 00:24 CEST (History)
7 users (show)

See Also:
Source RPM: vte3
CVE:
Status comment:


Attachments

Description Olav Vitters 2012-05-29 22:54:53 CEST
See https://bugzilla.gnome.org/show_bug.cgi?id=676090

"The commands

echo -en "\e[2147483647L"
echo -en "\e[2147483647M"
echo -en "\e[2147483647P"

all seem to cause gnome-terminal (vte) to use all available cpu time and stop
responding to the user. Even File->Close Window can not be used."

fixed in vte3 0.32.2
Comment 1 David Walser 2012-07-03 23:05:40 CEST
Fedora has issued an advisory for this on June 16:
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083403.html

It has been assigned CVE-2012-2738.
Comment 2 David Walser 2012-07-10 19:36:58 CEST
Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated vte packages fix security vulnerability:

A denial of service flaw was found in the way VTE, a terminal emulator
widget, processed certain escape sequences with large repeat counts.
A remote attacker could provide a specially-crafted file, which once
opened in a terminal using the VTE terminal emulator could lead to
excessive CPU consumption (CVE-2012-2738).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2738
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083403.html
========================

Updated packages in core/updates_testing:
========================
vte-0.26.2-2.1.mga1
python-vte-0.26.2-2.1.mga1
libvte9-0.26.2-2.1.mga1
libvte-devel-0.26.2-2.1.mga1
vte-0.28.2-4.1.mga2
python-vte-0.28.2-4.1.mga2
libvte9-0.28.2-4.1.mga2
libvte-devel-0.28.2-4.1.mga2
libvte-gir0.0-0.28.2-4.1.mga2

from SRPMS:
vte-0.26.2-2.1.mga1.src.rpm
vte-0.28.2-4.1.mga2.src.rpm
Comment 3 Dave Hodgins 2012-07-11 04:24:05 CEST
Bug confirmed, just by entering the first string
echo -en "\e[2147483647L"

Confirmed fixed by the update.

Testing complete on Mageia 2 i586.

I'll test Mageia 1 i586 shortly.
Comment 4 Dave Hodgins 2012-07-11 09:08:53 CEST
Testing complete on Mageia 1 i586.
Comment 5 claire robinson 2012-07-11 10:37:41 CEST
Testing mga2 x86_64

With the update applied, the first line still causes a DOS in gnome-terminal.

Installing python-vte x86_64 asks to install 32 bit libraries.

Checked libvte9 though and appears to be 64 bit

# ls /usr/lib64/libvt*
libvte2_90.so.9         libvte.so.9             
libvte2_90.so.9.3200.1  libvte.so.9.2800.2

None in /usr/lib/

Not sure what the problem is here David.
Comment 6 claire robinson 2012-07-11 10:41:46 CEST
Sorry, my mistype. python-vte is fine, I'd installed it alongside libvte-gir0.0 instead of lib64..

There is still the DOS issue though.
Comment 7 claire robinson 2012-07-11 11:09:13 CEST
Testing complete mga1 64
Comment 8 David Walser 2012-07-11 14:10:22 CEST
(In reply to comment #5)
> Testing mga2 x86_64
> 
> With the update applied, the first line still causes a DOS in gnome-terminal.

What if you reboot first?  I wonder if it's still using the old library.
Comment 9 claire robinson 2012-07-11 17:55:18 CEST
It's the same after a reboot. Even when starting gnome-terminal from konsole in kde David.
Comment 10 claire robinson 2012-07-11 17:56:42 CEST
$ rpm -qa | grep vte
vte-0.28.2-4.1.mga2
vte3-0.32.1-1.mga2
python-vte-0.28.2-4.1.mga2
lib64vte2_90_9-0.32.1-1.mga2
lib64vte-gir0.0-0.28.2-4.1.mga2
lib64vte9-0.28.2-4.1.mga2

Perhaps it should be vte3 updated in Mga2?
Comment 11 David Walser 2012-07-11 22:49:21 CEST
Good catch, thanks Claire.  Strangely, vte3 0.32.2 has been sitting in SVN since May 29th.  Built now.

Advisory:
========================

Updated vte packages fix security vulnerability:

A denial of service flaw was found in the way VTE, a terminal emulator
widget, processed certain escape sequences with large repeat counts.
A remote attacker could provide a specially-crafted file, which once
opened in a terminal using the VTE terminal emulator could lead to
excessive CPU consumption (CVE-2012-2738).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2738
http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083403.html
========================

Updated packages in core/updates_testing:
========================
vte-0.26.2-2.1.mga1
python-vte-0.26.2-2.1.mga1
libvte9-0.26.2-2.1.mga1
libvte-devel-0.26.2-2.1.mga1
vte-0.28.2-4.1.mga2
python-vte-0.28.2-4.1.mga2
libvte9-0.28.2-4.1.mga2
libvte-devel-0.28.2-4.1.mga2
libvte-gir0.0-0.28.2-4.1.mga2
vte3-0.32.2-1.mga2
libvte2_90_9-0.32.2-1.mga2
libvte3-devel-0.32.2-1.mga2
libvte-gir2.90-0.32.2-1.mga2

from SRPMS:
vte-0.26.2-2.1.mga1.src.rpm
vte-0.28.2-4.1.mga2.src.rpm
vte3-0.32.2-1.mga2.src.rpm
Comment 12 claire robinson 2012-07-13 13:01:09 CEST
Confirmed fixed in mga2 64 with the new vte3.
Comment 13 Malo Deniélou 2012-07-13 13:54:13 CEST
Confirmed the bug on Mageia 2 i586.

Installed the update candidates: no more high CPU usage when entering the strange echo commands in gnome-terminal. Confirmed the fix.

Update validated.

Thanks.

Advisory can be found on comment #11.

------------------
SRPM: 
vte-0.26.2-2.1.mga1.src.rpm
vte-0.28.2-4.1.mga2.src.rpm
vte3-0.32.2-1.mga2.src.rpm

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
Comment 14 Thomas Backlund 2012-07-14 00:24:32 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0163

Note You need to log in before you can comment on or make changes to this bug.