On Sun, Jun 09, 2024 at 11:26:33AM -0700, Alan Coopersmith wrote: > https://www.cve.org/CVERecord?id=CVE-2024-37535 states: > > >GNOME VTE before 0.76.3 allows an attacker to cause a denial of service > >(memory consumption) via a window resize escape sequence, a related issue > >to CVE-2000-0476. > > https://gitlab.gnome.org/GNOME/vte/-/issues/2786 explains further: > > >The ANSI escape sequence "e[4;;t" can be used to resize the terminal > >window, where "" is the height and ""is the width. By providing a > >large number such as 65535 for both values will lead to a local denial > >of service, where the whole machine can be frozen. > > > >This same vulnerability found was in XTerm back in 2000. The CVE for > >the vulnerability in XTerm is CVE-2000-0476 > > > >Steps to reproduce: > > > > Open gnome-terminal > > Execute printf "e[4;65535;65535t" in the terminal
The above command is missing its backslash. This triggers a crash: printf '\e[4;65535;65535t' and so does this: printf '\e[8;65535;65535t' The latter is a different escape sequence that accepts the sizes in different units. I hope the fix covers both, but I didn't review nor test it - I hope someone does and posts in here. Alexander
