The vulnerability is caused due to an error within mosh-server when processing commands and can be exploited to pass control characters to the server and trigger an endless loop. Upstream Commit:https://github.com/keithw/mosh/commit/9791768705528e911bfca6c4d8aa88139035060e Original Advisory https://github.com/keithw/mosh/issues/271 There is some debate via OSS-Sec whether this is a true DoS or to what extent it would tie up resources, but the commit caps the escape sequence and Secunia filed an advisory so I added a bug. Thanks
There's an CVE request [0]. But calling this problem a "less-critical remote vulnerability" is just ridiculous. First, it's an local attack on the machine running mosh-server. The user has authenticated himself (most likely by ssh) on the machine to run a shell. Second, it's as dangerous as any shell allowing "cat /dev/urandom > /dev/null". Please don't waste your time ;-) "That's a DoS quite literally, but it's not a vulnerability or security problem." ([1]) Michael [0] http://seclists.org/oss-sec/2012/q2/370 [1] https://github.com/keithw/mosh/issues/271#issuecomment-5849882
I've bumped the version to the current 1.2.1 release candidate (called 1.2.0.95), which includes the mentioned upstream patch, and removed all "affected" version from tree. @security: should I add an package.mask to force users to upgrade? +*mosh-1.2.0.95 (23 May 2012) + + 23 May 2012; Michael Weber <xmw@gentoo.org> -mosh-1.2.ebuild, + -mosh-1.2-r1.ebuild, -files/mosh-1.2-r1-remove-skalibs.patch, + +mosh-1.2.0.95.ebuild, -files/mosh-1.2-shared-skalibs.patch, + -files/mosh-1.2-shared-skalibs-fix-configure.patch: + Version bump to address bug 417207, remove all mentioned version. +
Thanks, fixed
CVE-2012-2385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2385): The terminal dispatcher in mosh before 1.2.1 allows remote authenticated users to cause a denial of service (long loop and CPU consumption) via an escape sequence with a large repeat count value.