Thanks, Timo, and thanks for submitting the original bug as well. This bug allows applications and unscreened terminal input (run or "catted" by the user) to DOS the mosh-server (also run by the user). It also allowed the mosh-server process (invoked by the user but resident on a remote host and not trusted by the client) to DOS the mosh-client (run by the user).
Based on the severity, I don't think it warrants a backported patch or emergency release. We do intend to do a 1.2.1 release in the coming weeks that will roll up the bugfixes we have done in the wake of 1.2, including this one. Thanks again, Keith On Mon, May 21, 2012 at 3:43 PM, Timo Juhani Lindfors <timo.lindf...@iki.fi> wrote: > Package: mosh > Version: 1.2-1 > Severity: important > Tags: security > > I submitted details upstream at > > https://github.com/keithw/mosh/issues/271 > > but here's also a copy: > > >> The commands >> >> echo -en "\e[2147483647L" >> echo -en "\e[2147483647M" >> echo -en "\e[2147483647@" >> echo -en "\e[2147483647P" >> >> all cause mosh-server to enter very long for-loops in terminalfunctions.cc. > > Upstream has released a fix, please consider including it in the debian > package. > > Security team, this also affects gnome-terminal and probably all other > terminal emulators that use libvte. Its upstream is also working a fix > but they made their bug report restricted for now: > https://bugzilla.gnome.org/show_bug.cgi?id=676090 > > -- System Information: > Debian Release: wheezy/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/6 CPU cores) > Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages mosh depends on: > ii libc6 2.13-32 > ii libgcc1 1:4.7.0-8 > ii libio-pty-perl 1:1.08-1+b2 > ii libprotobuf7 2.4.1-1 > ii libstdc++6 4.7.0-8 > ii libtinfo5 5.9-7 > ii libutempter0 1.1.5-4 > ii openssh-client 1:5.9p1-5 > ii zlib1g 1:1.2.7.dfsg-1 > > mosh recommends no packages. > > mosh suggests no packages. > > -- no debconf information > > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
