Debian Bug report logs - #673871
malicious escape sequences can cause denial of service for mosh-server

version graph

Package: mosh; Maintainer for mosh is Keith Winstein <keithw@mit.edu>; Source for mosh is src:mosh.

Reported by: Timo Juhani Lindfors <timo.lindfors@iki.fi>

Date: Mon, 21 May 2012 19:45:01 UTC

Severity: normal

Found in version mosh/1.2-1

Fixed in version mosh/1.2.1-1

Done: Keith Winstein <keithw@MIT.EDU>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Keith Winstein <keithw@mit.edu>:
Bug#673871; Package mosh. (Mon, 21 May 2012 19:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
New Bug report received and forwarded. Copy sent to Keith Winstein <keithw@mit.edu>. (Mon, 21 May 2012 19:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Timo Juhani Lindfors <timo.lindfors@iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: malicious escape sequences can cause denial of service for mosh-server
Date: Mon, 21 May 2012 22:43:51 +0300
Package: mosh
Version: 1.2-1
Severity: important
Tags: security

I submitted details upstream at

https://github.com/keithw/mosh/issues/271

but here's also a copy:


> The commands
> 
> echo -en "\e[2147483647L"
> echo -en "\e[2147483647M"
> echo -en "\e[2147483647@"
> echo -en "\e[2147483647P"
> 
> all cause mosh-server to enter very long for-loops in terminalfunctions.cc.

Upstream has released a fix, please consider including it in the debian
package.

Security team, this also affects gnome-terminal and probably all other
terminal emulators that use libvte. Its upstream is also working a fix
but they made their bug report restricted for now:
https://bugzilla.gnome.org/show_bug.cgi?id=676090

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/6 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mosh depends on:
ii  libc6           2.13-32
ii  libgcc1         1:4.7.0-8
ii  libio-pty-perl  1:1.08-1+b2
ii  libprotobuf7    2.4.1-1
ii  libstdc++6      4.7.0-8
ii  libtinfo5       5.9-7
ii  libutempter0    1.1.5-4
ii  openssh-client  1:5.9p1-5
ii  zlib1g          1:1.2.7.dfsg-1

mosh recommends no packages.

mosh suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#673871; Package mosh. (Mon, 21 May 2012 23:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Keith Winstein <keithw@mit.edu>:
Extra info received and forwarded to list. (Mon, 21 May 2012 23:30:03 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Keith Winstein <keithw@mit.edu>
To: Timo Juhani Lindfors <timo.lindfors@iki.fi>, 673871@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#673871: malicious escape sequences can cause denial of service for mosh-server
Date: Mon, 21 May 2012 19:26:27 -0400
Thanks, Timo, and thanks for submitting the original bug as well.

This bug allows applications and unscreened terminal input (run or
"catted" by the user) to DOS the mosh-server (also run by the user).
It also allowed the mosh-server process (invoked by the user but
resident on a remote host and not trusted by the client) to DOS the
mosh-client (run by the user).

Based on the severity, I don't think it warrants a backported patch or
emergency release.

We do intend to do a 1.2.1 release in the coming weeks that will roll
up the bugfixes we have done in the wake of 1.2, including this one.

Thanks again,
Keith

On Mon, May 21, 2012 at 3:43 PM, Timo Juhani Lindfors
<timo.lindfors@iki.fi> wrote:
> Package: mosh
> Version: 1.2-1
> Severity: important
> Tags: security
>
> I submitted details upstream at
>
> https://github.com/keithw/mosh/issues/271
>
> but here's also a copy:
>
>
>> The commands
>>
>> echo -en "\e[2147483647L"
>> echo -en "\e[2147483647M"
>> echo -en "\e[2147483647@"
>> echo -en "\e[2147483647P"
>>
>> all cause mosh-server to enter very long for-loops in terminalfunctions.cc.
>
> Upstream has released a fix, please consider including it in the debian
> package.
>
> Security team, this also affects gnome-terminal and probably all other
> terminal emulators that use libvte. Its upstream is also working a fix
> but they made their bug report restricted for now:
> https://bugzilla.gnome.org/show_bug.cgi?id=676090
>
> -- System Information:
> Debian Release: wheezy/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/6 CPU cores)
> Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages mosh depends on:
> ii  libc6           2.13-32
> ii  libgcc1         1:4.7.0-8
> ii  libio-pty-perl  1:1.08-1+b2
> ii  libprotobuf7    2.4.1-1
> ii  libstdc++6      4.7.0-8
> ii  libtinfo5       5.9-7
> ii  libutempter0    1.1.5-4
> ii  openssh-client  1:5.9p1-5
> ii  zlib1g          1:1.2.7.dfsg-1
>
> mosh recommends no packages.
>
> mosh suggests no packages.
>
> -- no debconf information
>
>




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#673871; Package mosh. (Mon, 21 May 2012 23:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Keith Winstein <keithw@mit.edu>:
Extra info received and forwarded to list. (Mon, 21 May 2012 23:30:04 GMT) Full text and rfc822 format available.

Removed tag(s) security. Request was from Keith Winstein <keithw@MIT.EDU> to control@bugs.debian.org. (Wed, 23 May 2012 05:51:03 GMT) Full text and rfc822 format available.

Severity set to 'normal' from 'important' Request was from Keith Winstein <keithw@MIT.EDU> to control@bugs.debian.org. (Wed, 23 May 2012 08:03:09 GMT) Full text and rfc822 format available.

Reply sent to Keith Winstein <keithw@MIT.EDU>:
You have taken responsibility. (Tue, 29 May 2012 02:12:03 GMT) Full text and rfc822 format available.

Notification sent to Timo Juhani Lindfors <timo.lindfors@iki.fi>:
Bug acknowledged by developer. (Tue, 29 May 2012 02:12:03 GMT) Full text and rfc822 format available.

Message #24 received at 673871-done@bugs.debian.org (full text, mbox):

From: Keith Winstein <keithw@MIT.EDU>
To: 673871-done@bugs.debian.org
Date: Mon, 28 May 2012 22:09:17 -0400 (EDT)
Package: mosh
Version: 1.2.1-1




Bug 673871 cloned as bug 677717 Request was from Yves-Alexis Perez <corsac@debian.org> to control@bugs.debian.org. (Sat, 16 Jun 2012 12:04:49 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Jul 2012 07:31:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:26:37 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.