CVE-2012-2738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738): The VteTerminal in gnome-terminal (vte) before 0.32.2 allows remote authenticated users to cause a denial of service (long loop and CPU consumption) via an escape sequence with a large repeat count value. @gnome, may we stabilize =x11-libs/vte-0.32.2 ?
(In reply to comment #0) > CVE-2012-2738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738): > The VteTerminal in gnome-terminal (vte) before 0.32.2 allows remote > authenticated users to cause a denial of service (long loop and CPU > consumption) via an escape sequence with a large repeat count value. > > > @gnome, may we stabilize =x11-libs/vte-0.32.2 ? Yes, we were going to stabilize it "soon" anyway
Thanks, Pacho. Arches, please test and mark stable: =x11-libs/vte-0.32.2 Target KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc x86 ~x86-fbsd"
I guess this also needs stabilization of glib, does it not? amd64: ok (tested with evilvte)
(In reply to comment #3) > I guess this also needs stabilization of glib, does it not? > amd64: ok (tested with evilvte) Yes, I see, in that case this will need to wait for bug 427544
arch's are now in CC list of bug 427544, so adding here too
(In reply to comment #4) > (In reply to comment #3) > > I guess this also needs stabilization of glib, does it not? > > amd64: ok (tested with evilvte) > > Yes, I see, in that case this will need to wait for bug 427544 A security bug shouldn't need to wait for the stabilization of so many packages, unless they're just on the verge of happening anyway. Also, what about =x11-libs/vte-0.28.2-r203 - is that vulnerable (slot 0)? The GLSA should be clear on this one way or another.
(In reply to comment #6) > Also, what about =x11-libs/vte-0.28.2-r203 - is that vulnerable (slot 0)? > The GLSA should be clear on this one way or another. I found today and tested the escape sequence on two terminal emulators that use x11-libs/vte:0 (then found this bug report) and I noticed that this version is vulnerable.
This is stable blocked. It must be done at same time of other gnome packages.
+*vte-0.28.2-r204 (06 Oct 2012) + + 06 Oct 2012; Pacho Ramos <pacho@gentoo.org> + +files/vte-0.28.2-limit-arguments.patch, +vte-0.28.2-r204.ebuild: + Fix CVE-2012-2738 for vte:0 also (#427802#c7 by SN (Enlik)). + Feel free to stabilize that one also
Alright, =x11-libs/vte-0.32.2 is being stabilized in bug 427544. Arches, please test and mark stable =x11-libs/vte-0.28.2-r204
Stable for HPPA.
x86 done.
amd64 stable
=x11-libs/vte-0.28.2-r204 stable ppc ppc64
arm stable
Stable on alpha.
ia64/sh/sparc stable
Thanks, everyone. Adding to existing GLSA request.
This issue was resolved and addressed in GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml by GLSA coordinator Sean Amoss (ackle).