Bug#629688: libvte9: malicious escape sequence causes gnome-terminal to crash (memory consumption DoS)
vladz
vladz at devzero.fr
Wed Jun 8 14:50:24 UTC 2011
Package: libvte9
Version: 1:0.24.3-2
Severity: important
When passing a huge value to the "insert-blank-characters" capability
(defined in caps.c), gnome-terminal crashes (and maybe other terminals
that depend on libvte9).
$ cat -n vte-0.24.3/src/caps.c:
[...]
418 {CSI "%d@", "insert-blank-characters", 0},
To reproduce the crash:
$ printf "\033[100000000000000000@" > /tmp/x
$ cat /tmp/x
A sub-function calls the "brk()" syscall until process memory is
entirely consumed:
$ strace -e brk -f gnome-terminal --disable-factory -x cat /tmp/x
Maybe this parameter value should be checked?
I wrote a small patch that checks this value inside the
vte_sequence_handler_multiple() function in the vte-0.24.3/src/vteseq.c
file. Let me know if you're interested.
Tested on Debian Release 6.0.1, kernel 2.6.32-5-amd64, gnome-terminal
2.30.2-1.
More information about the pkg-gnome-maintainers
mailing list