Comment 1 Pacho Ramos 2012-07-23 20:28:57 UTC

(In reply to comment #0)
> CVE-2012-2738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2738):
>   The VteTerminal in gnome-terminal (vte) before 0.32.2 allows remote
>   authenticated users to cause a denial of service (long loop and CPU
>   consumption) via an escape sequence with a large repeat count value.
> 
> 
> @gnome, may we stabilize =x11-libs/vte-0.32.2 ?

Yes, we were going to stabilize it "soon" anyway

Comment 2 Sean Amoss (RETIRED) 2012-07-26 12:54:53 UTC

Thanks, Pacho.

Arches, please test and mark stable:
=x11-libs/vte-0.32.2
Target KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ppc64 sh sparc x86 ~x86-fbsd"

I guess this also needs stabilization of glib, does it not?
amd64: ok (tested with evilvte)

Comment 4 Pacho Ramos 2012-07-26 18:25:03 UTC

(In reply to comment #3)
> I guess this also needs stabilization of glib, does it not?
> amd64: ok (tested with evilvte)

Yes, I see, in that case this will need to wait for bug 427544

Comment 5 Samuli Suominen (RETIRED) 2012-09-26 11:08:55 UTC

arch's are now in CC list of bug 427544, so adding here too

Comment 6 Richard Freeman 2012-09-29 11:04:27 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > I guess this also needs stabilization of glib, does it not?
> > amd64: ok (tested with evilvte)
> 
> Yes, I see, in that case this will need to wait for bug 427544

A security bug shouldn't need to wait for the stabilization of so many packages, unless they're just on the verge of happening anyway.  

Also, what about =x11-libs/vte-0.28.2-r203 - is that vulnerable (slot 0)?  The GLSA should be clear on this one way or another.

(In reply to comment #6)
> Also, what about =x11-libs/vte-0.28.2-r203 - is that vulnerable (slot 0)? 
> The GLSA should be clear on this one way or another.

I found today and tested the escape sequence on two terminal emulators that use x11-libs/vte:0 (then found this bug report) and I noticed that this version is vulnerable.

Comment 8 Agostino Sarubbo 2012-09-30 11:54:34 UTC

This is stable blocked. It must be done at same time of other gnome packages.

Comment 9 Pacho Ramos 2012-10-06 10:15:45 UTC

+*vte-0.28.2-r204 (06 Oct 2012)
+
+  06 Oct 2012; Pacho Ramos <pacho@gentoo.org>
+  +files/vte-0.28.2-limit-arguments.patch, +vte-0.28.2-r204.ebuild:
+  Fix CVE-2012-2738 for vte:0 also (#427802#c7 by SN (Enlik)).
+

Feel free to stabilize that one also

Comment 10 Sean Amoss (RETIRED) 2012-10-09 01:02:17 UTC

Alright, =x11-libs/vte-0.32.2 is being stabilized in bug 427544.

Arches, please test and mark stable =x11-libs/vte-0.28.2-r204

Comment 11 Jeroen Roovers (RETIRED) 2012-10-09 21:26:36 UTC

Stable for HPPA.

Comment 12 Andreas Schürch 2012-10-10 05:28:46 UTC

x86 done.

Comment 13 Agostino Sarubbo 2012-10-10 07:01:11 UTC

amd64 stable

Comment 14 Anthony Basile 2012-10-10 22:33:29 UTC

=x11-libs/vte-0.28.2-r204 stable ppc ppc64

Comment 15 Markus Meier 2012-10-11 11:25:40 UTC

arm stable

Comment 16 Tobias Klausmann (RETIRED) 2012-10-27 13:10:41 UTC

Stable on alpha.

Comment 17 Raúl Porcel (RETIRED) 2012-10-28 18:36:33 UTC

ia64/sh/sparc stable

Comment 18 Sean Amoss (RETIRED) 2012-11-01 23:51:07 UTC

Thanks, everyone.

Adding to existing GLSA request.

Comment 19 Sean Amoss (RETIRED) 2014-12-12 00:43:22 UTC

This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).