Bug#1037919: denial of service in vte2.91 with OSC 104
Simon McVittie
smcv at debian.org
Sat Jun 17 21:46:49 BST 2023
(redirecting replies to the vte2.91 bug, this doesn't seem like something
that we need to bother the release team with)
On Sat, 17 Jun 2023 at 21:06:07 +0200, Salvatore Bonaccorso wrote:
> On Sat, Jun 17, 2023 at 03:22:21PM +0100, Simon McVittie wrote:
> > I asked the security team whether they wanted to do a DSA for
> > this and haven't heard back, so I'm assuming the answer is no.
>
> Aplogies, we have missed to reply to your question in #1037919. Te
> point release approach looks indeed fine.
>
> FWIW, do you know if upstream has requested a CVE for it?
I am not aware of any attempt to request a CVE. It's not clear to me
whether upstream consider it to be a denial-of-service security issue,
or an ordinary non-security bug (and I'm not really sure myself, tbh):
the discussion on the upstream bug says
In this issue here there is no buffer overflow or vulnerability,
just an indefinite hang (maybe classified as potential DoS). While
this is a bit bad, it's a 5 year old bug and this the first report
of it, so I don't think it's too grave.
Please see https://gitlab.gnome.org/GNOME/vte/-/issues/2631 for any other
details or coordination that might be needed.
smcv
More information about the pkg-gnome-maintainers
mailing list