Bug 676090 – malicious escape sequences can cause denial of service

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 676090 - malicious escape sequences can cause denial of service


Summary:	malicious escape sequences can cause denial of service


Status:	RESOLVED FIXED

Product:	vte
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other Linux

Importance:	High major
Target Milestone:	---
Assigned To:	VTE Maintainers
QA Contact:	VTE Maintainers

URL:
Whiteboard:	[fixed-next][CVE-2012-2738]

Depends on:
Blocks:

Reported:	2012-05-15 11:26 UTC by Timo Lindfors
Modified:	2014-04-06 17:46 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
emulation: Limit integer arguments to 65535 (1.56 KB, patch) 2012-05-19 18:05 UTC, Christian Persch	committed	Details \| Review
emulation: Limit repetitions (2.92 KB, patch) 2012-05-19 18:05 UTC, Christian Persch	committed	Details \| Review

Description Timo Lindfors 2012-05-15 11:26:49 UTC

The commands

echo -en "\e[2147483647L"
echo -en "\e[2147483647M"
echo -en "\e[2147483647P"

all seem to cause gnome-terminal (vte) to use all available cpu time and stop responding to the user. Even File->Close Window can not be used.

Comment 1 Christian Persch 2012-05-15 11:32:20 UTC

Confirmed.

Comment 2 Behdad Esfahbod 2012-05-15 17:47:40 UTC

We should limit the numbers we parse to something reasonable.  Not sure what's reasonable.  Say, 10000 or something...

Comment 3 Timo Lindfors 2012-05-15 17:55:55 UTC

How about using the terminal size as a limit?

Comment 4 Christian Persch 2012-05-15 18:25:18 UTC

I guess we should do as xterm do in limiting the number, e.g. :

for insert-lines: http://anonscm.debian.org/gitweb/?p=pkg-xorg/app/xterm.git;a=blob;f=util.c;h=3b4f2bc6cfc559b1dfce23ac0dcd4a8b93d06997;hb=HEAD#l880

for delete-lines: http://anonscm.debian.org/gitweb/?p=pkg-xorg/app/xterm.git;a=blob;f=util.c;h=3b4f2bc6cfc559b1dfce23ac0dcd4a8b93d06997;hb=HEAD#l950

and for delete-characters: http://anonscm.debian.org/gitweb/?p=pkg-xorg/app/xterm.git;a=blob;f=util.c;h=3b4f2bc6cfc559b1dfce23ac0dcd4a8b93d06997;hb=HEAD#l1137

Comment 5 Behdad Esfahbod 2012-05-15 18:39:53 UTC

I was thinking about changing the number parsing in the generic parsing layer.  Who knows what other control sequences can be exploited the same way?  Otherwise, yes, for specific sequences we should match xterm.

Comment 6 Christian Persch 2012-05-15 19:01:21 UTC

Right, a general limiting in the parsing is a good idea too.

Comment 7 Timo Lindfors 2012-05-16 11:39:31 UTC

mosh just settled for a hard limit:

https://github.com/keithw/mosh/issues/271

Comment 8 Christian Persch 2012-05-19 18:05:30 UTC

Created attachment 214449 [details] [review]
emulation: Limit integer arguments to 65535

To guard against malicious sequences containing excessively big numbers,
limit all parsed numbers to 16 bit range. Doing this here in the parsing
routine is a catch-all guard; this doesn't preclude enforcing
more stringent limits in the handlers themselves.

Comment 9 Christian Persch 2012-05-19 18:05:33 UTC

Created attachment 214450 [details] [review]
emulation: Limit repetitions

Don't allow malicious sequences to cause excessive repetitions.

Comment 10 Behdad Esfahbod 2012-05-23 01:46:33 UTC

LGTM.

Comment 11 Christian Persch 2012-05-29 20:16:06 UTC

Fixed on vte-0-32 and vte-next.