oss-sec mailing list archives
Re: Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 22 May 2012 18:23:33 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/22/2012 01:29 PM, Keith Winstein wrote:
Hello, I am the author of Mosh, and somebody pointed me to your CVE request: http://seclists.org/oss-sec/2012/q2/370 I have not been part of this process before -- do we (the upstream) have a role here?
Yes, ideally you should include the CVE # where appropriate in ChangeLogs, NEWS files, web pages, email announcements, source code comments, etc. This will make tracking the issue easier, and allow vendors to quickly locate the vulnerable code, the code fix and so on. In a perfect world a patch file labled something like mosh-version-CVE-2012-2385.patch linked from your security web page makes life really easy especially for vendors that backport security fixes (e.g. Red Hat) rather than rebasing to a newer version (e.g. Fedora).
I don't want to butt in inappropriately, but I also don't want it to seem (by our silence) like we agree with the description in the CVE request.
Feel free to correct it =) Obviously the chances of getting an accurate description are much better if the vendor participates.
The writeup is not accurate. We're grateful for the bug report by Timo Juhani Lindfors, but to say "issue confirmed by mosh upstream" makes it sound like we confirm _this_ issue. We have written about this issue in the URL linked from the request: https://github.com/keithw/mosh/issues/271 In general, the application sending ANSI escape sequences is a trusted party. It is allowed to do things like disable the user's keyboard by sending "\e[2h", which is interpreted by xterm and Terminal.app. That's a DoS as well, but (like this one) it's not really a security vulnerability. Because ANSI escape sequences can do arbitrary things to the user's terminal, programs that allow untrusted user-to-user communication (including write(1), wall(1), and e-mail and newsgroup readers) need to filter these out. Here's my suggested text for the issue description: === Mosh versions 1.2 and earlier allow an application to cause the mosh-server to consume large amounts of CPU time with a short ANSI escape sequence. In addition, a malicious mosh-server can cause the mosh-client to consume large amounts of CPU time with a short ANSI escape sequence. This arises because there was no limit on the value of the "repeat" parameter in some ANSI escape sequences, so even large and nonsensical values would be interpreted by Mosh's terminal emulator. === This gets away from the suggestion that the problem relates to "improper parsing" or the "count of parameters" (it's about wanting a limit on the _value_ of parameters so the terminal emulator doesn't do huge amounts of work to execute a very short sequence), or to data coming from "a remote attacker."
CC'ing Steve @Mitre so he has a copy.
Best regards, Keith
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPvC4FAAoJEBYNRVNeJnmTzYIP/RQU/pRNRmvZi0oWrjuDgfku pooo0iWBiaIqILvwCW1bYia3ZZuIoI3Z1gS4cfiGePyXmndnFEQtpjxNK+pj53CC rNNYX7ua72NUOI4HEMAT3oUNstxKAJBIWNV1skhr6Tlq/iFxm8rtCviQGs7DEpfr LHCQIFemqrd7qioPeKTdjA1bZK3EAZpyU3BphNOtnnb7+KjyfbdeGZv8nZQnWZW8 fpHge2z57WYSzEuArWUAsLZwroDXuvecs6UUmrxoFuU3Hj3sX2pIiw4VPmioh0Os bXBhyKAo5wjxWfd6I3QSysxbAZYzHvAkdJ/tGS22T8QNqHJhat4ZOFIxiUs+0Ulw iwsfo2sB5dAQ28k6cXM0eQJDElMsXXuLB3BzleTCSv0iw9Dw7oPt7rnN6DIsZzdl ZwF+tb6zVkL/WSAnw1k7FbAnVjpuoHZnmiXsLi4IyOcq08usevKR/oWAYVUQyj9L 7KXJVNGBnANFyHwBrA2EywzFPg+f1D8z2l6gMCnKE299wU/vup2iKT1Pg6q/edsN bToiPVey+5jRtLlUSeyaiEkD+6NXWJfE22cKp+eKlOa24u6eYnsaFRcFOBxajzQF Gf1R8kA+w6ZcXOOW7s6JFr7AaJBwQATpBhDWSLNG3cbxGaUDBYrEByWMlNk5cBSc EctFYIj5/KGUBkids1kt =rr+u -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Jan Lieskovsky (May 22)
- Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Kurt Seifried (May 22)
- Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Behdad Esfahbod (May 23)
- <Possible follow-ups>
- Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Keith Winstein (May 22)
- Re: Re: CVE Request -- mosh (and probably vte too): mosh server DoS (long loop) due improper parsing of terminal parameters in terminal dispatcher Kurt Seifried (May 22)