Source: vte2.91 Version: 0.70.5-1 Severity: important Tags: security patch fixed-upstream X-Debbugs-Cc: Debian Security Team <[email protected]> Forwarded: https://gitlab.gnome.org/GNOME/vte/-/issues/2631 Control: fixed -1 0.70.5-2
To reproduce (make sure you are not running anything important in a vte terminal first!): $ printf '\e]104;x\a' Expected result: some sort of error processing (in my case the terminal blinks, by default it would probably beep). Actual result: the terminal freezes until it is killed. A logic error in vte's OSC parser results in an infinite loop. An untrusted system accessed via ssh, telnet or similar could use this as a denial of service. This is fixed upstream in 0.70.6, and a fixed version 0.70.5-2 is on its way into unstable. Originally reported at <https://bugs.launchpad.net/ubuntu/+source/vte2.91/+bug/2022019>. Does the security team want to do a DSA for this? The patch is upstream commit https://gitlab.gnome.org/GNOME/vte/-/commit/dce7b5f044b0f9e184f186315c846489a20edf0d or one of its many cherry-picks to older branches. I believe 0.62.x in bullseye and 0.54.x in buster also have this bug (the corresponding upstream branches have a cherry-pick of the fix) but I have not independently verified this. Regardless of whether the security team want to do a DSA, I'm hoping to include a backport of 0.70.5-2 (or 0.70.6-1) in Debian 12.1, for some lower-severity bug fixes. If the security team would be OK with including those changes in a stable security update, that would minimize the number of independent versions floating around. Thanks, smcv
