Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 15 Jun 2012 13:57:27 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Stefan Cornelius <scorneli@...hat.com>
CC: oss-security@...ts.openwall.com, Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Behdad Esfahbod <behdad@...dad.org>
Subject: Re: CVE Request -- mosh (and probably vte too): mosh
 server DoS (long loop) due improper parsing of terminal parameters in terminal
 dispatcher

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/15/2012 11:59 AM, Stefan Cornelius wrote:
> On 05/22/2012 07:39 PM, Kurt Seifried wrote:
>>> B) vte issue: ============= 
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673871#5
> 
>>> there is similar issue in vte too (Gnome bug private for now):
>>>  https://bugzilla.gnome.org/show_bug.cgi?id=676090
> 
>>> Cc-ed Behdad Esfahbod on this post to clarify, what are the 
>>> upstream plans regarding this report in vte and if the CVE id
>>> has been already assigned for it.
> 
>> Will wait for confirmation.
> 
> 
> Hi,
> 
> I think http://www.openwall.com/lists/oss-security/2012/05/23/6 is
> a reasonable confirmation. Additionally, upstream fixed this in
> 0.32.2: 
> http://ftp.gnome.org/pub/GNOME/sources/vte/0.32/vte-0.32.2.news
> 
> In case you agree that all requirements are fulfilled, could you
> please assign a CVE to the B) part?
> 
> Thanks in advance and kind regards,

Please use CVE-2012-2738 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP25OnAAoJEBYNRVNeJnmTfRAQAKhtUxuCxr9qGvssp2dsF7+h
eKMGKwEiQfof8CSZJYh6TBVA1ywb0RbIBK8te6pRN7HFBSTQYttrwiVXtfNStXLQ
V5+5/IE6oCwtBduVlGpITnnzCMn5BjHvXGbrzQacAQdeaBaOfHgLP+oBXZmrqrkO
Hj/eIsFBwAyY0ETC/FrEuZFAf544bE3P2Az8dn8qWRS3jrIisVAZHlbvjHoTzy/W
ALJ2JPbuMQC+dlS9AyRwFr9b3q0D9E8pe03HxDUCTCltjizgsSDx+wNO1HeDSpAD
XBShdMrnXPddznjVQi2Kx3dY23upa+595Qq2lAOVun9bq/BBQDw0Xj2XjuO0olS5
n/rPoT4QK6wyX+KGM4tCDQWa3d3BCv3HvaDqYp1DVJhdS3AzU/lml4JCiuif0i3H
gB8Sa0ybK78WbUDU9+C1OacpZBMbsyCDunQ/YPLwERwVn7QqJvXrvx6sQjzNI77e
BuLGM3JZFQhOYyCemUsdkNRK7ocf2eGWQQi2mybKwmy4ph48WLhY1PIRLqhqZjUw
T/i6xeaY4G30h/p6A9Cecb/Teormse8yhUY3s0EJ/3Hxc09cfrNo0hsaRDr7haEm
/OJzH635LqUwndsXyO6qMRK3I7rY5JS0ztSEGbSlAo2iTrBDfjBxMjkpt2STBqZH
V9Cldd7gAN5PADYDzdiz
=b9Af
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ