Bug#1081907: vte: CVE-2024-37535

Moritz Mühlenhoff jmm at inutil.org
Fri Sep 27 14:34:33 BST 2024


Am Sun, Sep 15, 2024 at 11:03:42PM +0100 schrieb Simon McVittie:
> On Sun, 15 Sep 2024 at 23:18:53 +0200, Moritz Mühlenhoff wrote:
> > The following vulnerability was published for vte. This is already addressed
> > in vte2.91, but also filing this for completeness for the deprecated source
> > package:
> > 
> > CVE-2024-37535[0]:
> > | GNOME VTE before 0.76.3 allows an attacker to cause a denial of
> > | service (memory consumption) via a window resize escape sequence, a
> > | related issue to CVE-2000-0476.
> 
> I think this is wontfix. The only reason why the GTK2-based vte is still
> in Debian at all is for the benefit of debian-installer, which hasn't
> caught up with GTK3 yet.
> 
> In principle we could remove the .deb and leave only the .udeb, but I think
> that would make it harder to test vte, so is probably not a great idea.
> 
> It would probably make sense to add vte to the list of packages that don't
> have security support.

Thanks for the notice, I missed that the only reverse dependency is
d-i, which has no real attack surface for this bug. As such, I'll mark
it as unimportant in the security tracker.

Feel free to mark the bug as wontfix or even close it, both seem fine
(there's a public reference in the Security Tracker anyway).

Cheers,
        Moritz



More information about the pkg-gnome-maintainers mailing list